[j-nsp] ddos protocol protection - IPv4-unclassified

[James Jun]

Thanks for the suggestions!  For the time being, I'm suspecting excessive arp
from the router creating its own DoS condition, I do see that global arp policer
was also kicking in.  For the time being, we've put an arp policer on the customer
interface and will review the ddos-protocol protection config as suggested.



> If you manage to identify the culprit somehow (perhaps capturing NPU
> counters), only thing you can do is add ACL to the offending interface
> dropping all BGP packets, as ACL is subject to LPTS punted packets,
> even though MQC is not. For obviously you cannot do this as
> pre-emptive measure, so there is no proactive way to actually protect
> the box today.

How about LPTS Excessive Flow Trap feature?

Page 51 on https://clnv.s3.amazonaws.com/2015/usa/pdf/BRKARC-2017.pdf
-- and --
http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-3/addr-serv/configuration/guide/b-ipaddr-cg53crs/Implementing_EPFT.html


We haven't used this feature, but supposedly it should allow policing of 'for-us'
traffic from offending interface instead of dropping the same flow type globally on 
the NP. 

Should be helpful on cost optimized cards (like Wildchild LC, MOD200, 
Powerglide 24x1/10G, etc) where you have 1 NPU driving the whole card. It'll be
interesting to try out in lab.


> And some newer IOS-XR platforms don't implement LPTS at all, even
> though you can configure it, it'll commit, and it may look casually
> like it's doing something.

Isn't this only on NCS5k/5500 series boxes, which are merchant silicon boxes
with IOS XR offering for use as cheap MPLS LSR or metro/data center use, 
more or less comparable to that of QFX5K/ACX?  I'm not sure what other XR
boxes don't support LPTS.  Aside from ASR9K, fairly sure CRS/NCS6K support it.


James