Implementing LPTS

LPTS Overview

Local Packet Transport Services (LPTS) maintains tables describing all packet flows destined for the secure domain router (SDR), making sure that packets are delivered to their intended destinations.

LPTS uses two components to accomplish this task: the port arbitrator and flow managers. The port arbitrator and flow managers are processes that maintain the tables that describe packet flows for a logical router, known as the Internal Forwarding Information Base (IFIB). The IFIB is used to route received packets to the correct Route Processor for processing.

LPTS interfaces internally with all applications that receive packets from outside the router. LPTS functions without any need for customer configuration. However, the policer values can be customized if required. The LPTS show commands are provided that allow customers to monitor the activity and performance of LPTS flow managers and the port arbitrator.

LPTS Policers

In Cisco IOS XR, the control packets, which are destined to the Route Processor (RP), are policed using a set of ingress policers in the incoming ports. These policers are programmed statically during bootup by LPTS components. The policers are applied based on the flow type of the incoming control traffic. The flow type is determined by looking at the packet headers. The policer rates for these static ingress policers are defined in a configuration file, which are programmed on the route processor during bootup. You can change the policer values based on the flow types of these set of ingress policers. You are able to configure the rate per policer per node.

Configuration Example

Configure the LPTS policer for the OSPF and BGP flowtypes with the following values:

  • ospf unicast default rate 200

  • bgp configured rate 200

  • bgp default rate 100 

Router#configure
Router(config)#lpts pifib hardware police
Router(config-pifib-policer-global)#flow ospf unicast default rate 200
Router(config-pifib-policer-global)#flow bgp configured rate 200
Router(config-pifib-policer-global)#flow bgp default rate 100
Router (config-pifib-policer-global)#commit

Running Configuration

lpts pifib hardware police
flow ospf unicast default rate 200
flow bgp configured rate 200
flow bgp default rate 100
!

Verification

Router#show run lpts pifib hardware police
lpts pifib hardware police
flow ospf unicast default rate 200
flow bgp configured rate 200
flow bgp default rate 100

Note

The show lpts pifib hardware police location 0/RP0/CPU0 command displays pre-Internal Forwarding Information Base (IFIB) information for the designated node.

Configuration Example

Configure the LPTS policer for the OSPF and BGP flow types with the following values:

  • ospf unicast default rate 100

  • bgp configured rate 300 

Router#configure
Router(config)#lpts pifib hardware police
Router(config-pifib-policer-per-node)#flow ospf unicast default rate 200
Router(config-pifib-policer-per-node)#flow bgp configured rate 200
Router(config-pifib-policer-per-node)#flow bgp default rate 100
Router(config-pifib-policer-per-node)#commit

Running Configuration

lpts pifib hardware police location 0/RP0/CPU0
flow ospf unicast default rate 100
flow bgp configured rate 300

Verification

Router#show run lpts pifib hardware police                
lpts pifib hardware police
flow ospf unicast default rate 100
flow bgp configured rate 300
!

Configuring ACL-based LPTS Policer

ACL-based LPTS policer is a session based policer that provides secure network access based on session.

Benefits

These are the benefits of ACL-based policer:

  • Rate limit incoming packets based on session.

  • Modify policer rate depending on traffic load.

  • Block entire traffic based on a specific session without impacting other sessions with same flow.


Note

  • It is recommended to have up to 10 prefixes in a single ACL. The ACEs in an ACL should be managed such that there is no overlap of prefixes.

  • Up to 50 ACL-based LPTS policers can be configured on a router.

  • ACL-based LPTS policer can only be attached to LPTS entries with default VRF only in Release 6.1.1.

Configuration Example

Configure the LPTS policer for the flowtypes and ACL:

  • ospf unicast default rate 200

  • bgp configured rate 200

  • bgp default rate 100

  • The following ACL named acl-name1: 

    ipv4 access-list ACL1_OSPF
10 permit ipv4 host 192.168.1.5 any
!

Router#configure
Router(config)#lpts pifib hardware police

/* Map ACL to the LPTS policer */
Router(config-pifib-policer-global)#acl ACL1_OSPF rate 2000 vrf default
Router (config-pifib-policer-global)#commit

Running Configuration

lpts pifib hardware police
acl ACL1_OSPF rate 2000 vrf default
!

Verification

Use the following command to display ACL-based LPTS policer configuration:

Router#show running-config lpts pifib hardware police acl ACL1_OSPF
lpts pifib hardware police
acl ACL1_OSPF rate 2000 vrf default
!

Use the following command to display the ACL-based LPTS policer entries attached to matching entries: 

Router#show lpts pifib hardward entry statistics location 0/RP0/CPU0

Offset NPU L3 VRD id L4 Intf Dest Pkts/Drops laddr,Port raddr,Port acl name
------ ---------- ---- ------------ ------ --------------- ----------- ---------------- --------------------- -----------------------------------
37 0 [0] IPV4 * any any Local 0/0 any,any any,any
38 0 [1] IPV4 * any any Local 0/0 any,any any,any
39 0 [2] IPV4 * any any Local 0/0 any,any any,any
40 0 [3] IPV4 * any any Local 0/0 any,any any,any
8132 0 [0] CLNS * - OptV2 Local 3229408/0 - -
-1 0 [1] CLNS * - OptV2 Local any - -
-1 0 [2] CLNS * - OptV2 Local any - -
-1 0 [3] CLNS * - OptV2 Local any - -
117 0 [0] CLNS * - any Local 3229408/0 - -
-1 0 [1] CLNS * - any Local any - -
-1 0 [2] CLNS * - any Local any - -
-1 0 [3] CLNS * - any Local any - -
187 0 [0] IPV4 * ICMP any Local 0/0 any,8 any,ECHO ACL3_ICMP
188 0 [1] IPV4 * ICMP any Local 0/0 any,8 any,ECHO ACL3_ICMP
189 0 [2] IPV4 * ICMP any Local 0/0 any,8 any,ECHO ACL3_ICMP
190 0 [3] IPV4 * ICMP any Local 0/0 any,8 any,ECHO ACL3_ICMP
8963 0 [0] IPV4 default UDP OptV2 Local 22588/0 192.168.10.2,646 any,any ACL4_UDP
8964 0 [1] IPV4 default UDP OptV2 Local 22590/0 192.168.10.2,646 any,any ACL4_UDP
8965 0 [2] IPV4 default UDP OptV2 Local 0/0 192.168.10.2,646 any,any ACL4_UDP
8966 0 [3] IPV4 default UDP OptV2 Local 0/0 192.168.10.2,646 any,any ACL4_UDP
8206 0 [0] IPV4 default IGMP OptV2 Local 229400/0 192.168.10.1,any any,na
8207 0 [1] IPV4 default IGMP OptV2 Local 176043/0 192.168.10.1,any any,na
8208 0 [2] IPV4 default IGMP OptV2 Local 97608/0 192.168.10.1,any any,na
8209 0 [3] IPV4 default IGMP OptV2 Local 0/0 192.168.10.1,any any,na
8210 0 [0] IPV4 default IGMP OptV2 Local 502237/0 192.168.10.22,any any,na
8211 0 [1] IPV4 default IGMP OptV2 Local 176725/0 192.168.10.22,any any,na
8212 0 [2] IPV4 default IGMP OptV2 Local 97981/0 192.168.10.22,any any,na
8213 0 [3] IPV4 default IGMP OptV2 Local 0/0 192.168.10.22,any any,na
8214 0 [0] IPV4 default IGMP OptV2 Local 0/0 192.168.10.2,any any,na
8215 0 [1] IPV4 default IGMP OptV2 Local 0/0 192.168.10.2,any any,na
8216 0 [2] IPV4 default IGMP OptV2 Local 0/0 192.168.10.2,any any,na
8217 0 [3] IPV4 default IGMP OptV2 Local 0/0 192.168.10.2,any any,na
8222 0 [0] IPV4 default PIM OptV2 Local 998670/0 192.168.10.13,any any,any
8223 0 [1] IPV4 default PIM OptV2 Local 350812/0 192.168.10.13,any any,any
8224 0 [2] IPV4 default PIM OptV2 Local 194527/0 192.168.10.13,any any,any
8225 0 [3] IPV4 default PIM OptV2 Local 0/0 192.168.10.13,any any,any
8279 0 [0] IPV4 default OSPF OptV2 Local 846248/0 192.168.10.5,any any,any ACL1_OSPF
8280 0 [1] IPV4 default OSPF OptV2 Local 962717/0 192.168.10.5,any any,any ACL1_OSPF
8281 0 [2] IPV4 default OSPF OptV2 Local 421169/0 192.168.10.5,any any,any ACL1_OSPF
8282 0 [3] IPV4 default OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8283 0 [0] IPV4 default OSPF OptV2 Local 1/0 192.168.10.6,any any,any
8284 0 [1] IPV4 default OSPF OptV2 Local 101/0 192.168.10.6,any any,any
8285 0 [2] IPV4 default OSPF OptV2 Local 25/0 192.168.10.6,any any,any
8286 0 [3] IPV4 default OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8339 0 [0] IPV4 red8 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8340 0 [1] IPV4 red8 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8341 0 [2] IPV4 red8 OSPF OptV2 Local 11099/0 192.168.10.5,any any,any ACL1_OSPF
8342 0 [3] IPV4 red8 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8343 0 [0] IPV4 red8 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8344 0 [1] IPV4 red8 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8345 0 [2] IPV4 red8 OSPF OptV2 Local 2/0 192.168.10.6,any any,any
8346 0 [3] IPV4 red8 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8363 0 [0] IPV4 red7 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8364 0 [1] IPV4 red7 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8365 0 [2] IPV4 red7 OSPF OptV2 Local 11099/0 192.168.10.5,any any,any ACL1_OSPF
8366 0 [3] IPV4 red7 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8367 0 [0] IPV4 red7 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8368 0 [1] IPV4 red7 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8369 0 [2] IPV4 red7 OSPF OptV2 Local 2/0 192.168.10.6,any any,any
8370 0 [3] IPV4 red7 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8375 0 [0] IPV4 red6 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8376 0 [1] IPV4 red6 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8377 0 [2] IPV4 red6 OSPF OptV2 Local 11103/0 192.168.10.5,any any,any ACL1_OSPF
8378 0 [3] IPV4 red6 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8379 0 [0] IPV4 red6 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8380 0 [1] IPV4 red6 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8381 0 [2] IPV4 red6 OSPF OptV2 Local 2/0 192.168.10.6,any any,any
8382 0 [3] IPV4 red6 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8391 0 [0] IPV4 red5 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8392 0 [1] IPV4 red5 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8393 0 [2] IPV4 red5 OSPF OptV2 Local 11104/0 192.168.10.5,any any,any ACL1_OSPF
8394 0 [3] IPV4 red5 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8395 0 [0] IPV4 red5 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8396 0 [1] IPV4 red5 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8397 0 [2] IPV4 red5 OSPF OptV2 Local 2/0 192.168.10.6,any any,any
8398 0 [3] IPV4 red5 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8411 0 [0] IPV4 red4 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8412 0 [1] IPV4 red4 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8413 0 [2] IPV4 red4 OSPF OptV2 Local 11101/0 192.168.10.5,any any,any ACL1_OSPF
8414 0 [3] IPV4 red4 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8415 0 [0] IPV4 red4 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8416 0 [1] IPV4 red4 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8417 0 [2] IPV4 red4 OSPF OptV2 Local 2/0 192.168.10.6,any any,any
8418 0 [3] IPV4 red4 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8427 0 [0] IPV4 red3 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8428 0 [1] IPV4 red3 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8429 0 [2] IPV4 red3 OSPF OptV2 Local 11107/0 192.168.10.5,any any,any ACL1_OSPF
8430 0 [3] IPV4 red3 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8431 0 [0] IPV4 red3 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8432 0 [1] IPV4 red3 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8433 0 [2] IPV4 red3 OSPF OptV2 Local 2/0 192.168.10.6,any any,any
8434 0 [3] IPV4 red3 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8439 0 [0] IPV4 red1 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8440 0 [1] IPV4 red1 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8441 0 [2] IPV4 red1 OSPF OptV2 Local 11099/0 192.168.10.5,any any,any ACL1_OSPF
8442 0 [3] IPV4 red1 OSPF OptV2 Local 0/0 192.168.10.5,any any,any ACL1_OSPF
8443 0 [0] IPV4 red1 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8444 0 [1] IPV4 red1 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8445 0 [2] IPV4 red1 OSPF OptV2 Local 2/0 192.168.10.6,any any,any
8446 0 [3] IPV4 red1 OSPF OptV2 Local 0/0 192.168.10.6,any any,any
8218 0 [0] IPV4 default IGMP OptV2 Local 0/0 any,any any,na
8219 0 [1] IPV4 default IGMP OptV2 Local 0/0 any,any any,na
8220 0 [2] IPV4 default IGMP OptV2 Local 0/0 any,any any,na
8221 0 [3] IPV4 default IGMP OptV2 Local 0/0 any,any any,na
8275 0 [0] IPV4 default OSPF OptV2 Local 7/0 any,any any,any
8276 0 [1] IPV4 default OSPF OptV2 Local 1752/0 any,any any,any