[c-nsp] IOS XR LPTS is it possible to whitelist an IP address

Drew Weaver drew.weaver at thenap.com
Fri Aug 8 09:03:48 EDT 2025 

Hey,

I assumed that the reason the responses took 5.7 seconds when the requests came in over a non RP MGMT interface is because most of the requests were getting caught by the policer and timing out.

So I assumed that there was a way to specify that SNMP traffic coming from $NMS_IP shouldn't be considered 'undesirable' or 'low priority' [which is what we used to call these things in CoPP on IOS and still do on NXOS].

So I configured it like this:

lpts pifib hardware police
flow snmp rate 4294967295
!

And the condition still exists so I was obviously wrong. I also configured this:

control-plane
 management-plane
  inband
   interface all
    allow snmp peer
     address ipv4 $NMS_IP_address

and the condition still exists so I was obviously wrong.

I have no problem being wrong it happens all the time.

Thanks,
-Drew


-----Original Message-----
From: Saku Ytti <saku at ytti.fi> 
Sent: Friday, August 8, 2025 4:14 AM
To: Drew Weaver <drew.weaver at thenap.com>
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] IOS XR LPTS is it possible to whitelist an IP address

I don't think so. But I'm not 100% confident.

I don't see a particular problem in the approach you chose, where you change the policer. Why are you looking into whitelisting specific IPs rather than just tune the policer?

LPTS rules are dynamically generated, there isn't "any/any -> SNMP permit" on the box. The policer should not be hit by an unknown IP address (provided you didn't explicitly allow this in your inband config), only your configured SNMP addresses should have access to the policer.

You can review what packets can reach the SNMP policer with 'show lpts pifib entry location X'.


On Thu, 7 Aug 2025 at 16:26, Drew Weaver via cisco-nsp <cisco-nsp at puck.nether.net> wrote:
>
> Okay so I've been having an issue where 60% of our SNMP polls are being gleefully dumped by an ASR9902 running IOS XR 24.4.2 due to the default hidden LPTS policer configuration (that you can't see).
>
> I'm not really here to argue about the design I'm mostly just depressed by all of that discussion at this point.
>
> What I really need to know is if it is possible to simply allow an IP address to bypass the policer for SNMP traffic?
>
> I've now asked TAC this question directly 5 times and they won't answer it.
>
> Its funny that simply using the mgmteth ports allow you to bypass all of these very important and very demure policers that need to exist otherwise the box will explode but that there doesn't appear to be any way to simply apply that same level of recklessness to inline traffic.
>
> Thanks if anyone knows.
> Lol
> -Drew
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_m
> ailman_listinfo_cisco-2Dnsp&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A
> _CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=RUrtSkTBv
> 0Xm8Sd4i9O6btjWUqWsADXynRUjfD5siWsqz1mmyaLMxhEiTuEaRRTN&s=oGFZlMI24Pva
> 1xvYiUBL8T56oqF9J7UnDCXNnq03PzA&e=
> archive at 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pi
> permail_cisco-2Dnsp_&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnV
> fiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=RUrtSkTBv0Xm8Sd4
> i9O6btjWUqWsADXynRUjfD5siWsqz1mmyaLMxhEiTuEaRRTN&s=i-8GJFn5i4OncLjB5Zq
> A4kUtLlv_hB-fIphf6SsjZG4&e=



--
  ++ytti

More information about the cisco-nsp mailing list