[c-nsp] IOS XR LPTS is it possible to whitelist an IP address

Chris Griffin cgriffin at flrnet.org
Fri Aug 8 09:05:05 EDT 2025 

Our experience has been that although the command is accepted by the parser, a very large number for the rate limit doesn’t seem to be programmed.  It's important to do the show lpts pifib hardware police | inc  SNMP to verify the rate limit was programmed as you desire.  Note the number will be slightly different than you specify.  This command also lets you see how many packets lpts dropped before hitting the snmp process.  I am guessing the default 523 rate is still there dropping snmp and the delay is due to retires, if lpts is the cause of your issue.

Tnx
Chris


From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> on behalf of Drew Weaver via cisco-nsp <cisco-nsp at puck.nether.net>
Date: Friday, August 8, 2025 at 9:05 AM
To: 'Saku Ytti' <saku at ytti.fi>
Cc: 'cisco-nsp at puck.nether.net' <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] IOS XR LPTS is it possible to whitelist an IP address

[Caution: External Email]



Hey,

I assumed that the reason the responses took 5.7 seconds when the requests came in over a non RP MGMT interface is because most of the requests were getting caught by the policer and timing out.

So I assumed that there was a way to specify that SNMP traffic coming from $NMS_IP shouldn't be considered 'undesirable' or 'low priority' [which is what we used to call these things in CoPP on IOS and still do on NXOS].

So I configured it like this:

lpts pifib hardware police
flow snmp rate 4294967295
!

And the condition still exists so I was obviously wrong. I also configured this:

control-plane
 management-plane
  inband
   interface all
    allow snmp peer
     address ipv4 $NMS_IP_address

and the condition still exists so I was obviously wrong.

I have no problem being wrong it happens all the time.

Thanks,
-Drew


-----Original Message-----
From: Saku Ytti <saku at ytti.fi>
Sent: Friday, August 8, 2025 4:14 AM
To: Drew Weaver <drew.weaver at thenap.com>
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] IOS XR LPTS is it possible to whitelist an IP address

I don't think so. But I'm not 100% confident.

I don't see a particular problem in the approach you chose, where you change the policer. Why are you looking into whitelisting specific IPs rather than just tune the policer?

LPTS rules are dynamically generated, there isn't "any/any -> SNMP permit" on the box. The policer should not be hit by an unknown IP address (provided you didn't explicitly allow this in your inband config), only your configured SNMP addresses should have access to the policer.

You can review what packets can reach the SNMP policer with 'show lpts pifib entry location X'.


On Thu, 7 Aug 2025 at 16:26, Drew Weaver via cisco-nsp <cisco-nsp at puck.nether.net> wrote:
>
> Okay so I've been having an issue where 60% of our SNMP polls are being gleefully dumped by an ASR9902 running IOS XR 24.4.2 due to the default hidden LPTS policer configuration (that you can't see).
>
> I'm not really here to argue about the design I'm mostly just depressed by all of that discussion at this point.
>
> What I really need to know is if it is possible to simply allow an IP address to bypass the policer for SNMP traffic?
>
> I've now asked TAC this question directly 5 times and they won't answer it.
>
> Its funny that simply using the mgmteth ports allow you to bypass all of these very important and very demure policers that need to exist otherwise the box will explode but that there doesn't appear to be any way to simply apply that same level of recklessness to inline traffic.
>
> Thanks if anyone knows.
> Lol
> -Drew
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_m
> ailman_listinfo_cisco-2Dnsp&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A
> _CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=RUrtSkTBv
> 0Xm8Sd4i9O6btjWUqWsADXynRUjfD5siWsqz1mmyaLMxhEiTuEaRRTN&s=oGFZlMI24Pva
> 1xvYiUBL8T56oqF9J7UnDCXNnq03PzA&e=
> archive at
> https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pi
> permail_cisco-2Dnsp_&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnV
> fiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=RUrtSkTBv0Xm8Sd4
> i9O6btjWUqWsADXynRUjfD5siWsqz1mmyaLMxhEiTuEaRRTN&s=i-8GJFn5i4OncLjB5Zq
> A4kUtLlv_hB-fIphf6SsjZG4&e=



--
  ++ytti
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list