Scribd Logo
Carica

Benvenuto in Scribd!

  • Selective Packet Discard

    Caricato da

    Nandan Bisht
    85 visualizzazioni3 pagine
    Selective Packet Discard

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Selective Packet Discard

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    85 visualizzazioni3 pagine

    Selective Packet Discard

    Caricato da

    Nandan Bisht
    Selective Packet Discard

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 3

    CCIE Security V4 Technology Labs Section 1:

    System Hardening and Availability


    Selective Packet Discard
    Last updated: May 3, 2013
    Task
    Load the configuration files for this task.
    Enable Selective Packet Discard on R1 in aggressive mode.
    Increase R1s input queue size on its link to VLAN 13 to twice the default.
    Increase the amount of the memory headroom for IGP packets to 150 buffers.
    Set the headroom for BGP packets should to 120 packets.
    Start dropping low-priority packets randomly when the input queue is 50% full.
    Explanation and Verification
    Selective Packet Discard is the queue management technique for interface input queueing. The
    SPD commands are hidden in the IOS parser, but you can see them in the running configuration
    after you enter them. By default, SPD is enabled in Normal mode. The following is the list of SPD
    commands:
    spd enable
    spd headroom <N>
    spd extended-headroom <N>
    ip spd mode aggressive
    ip spd queue threshold minimum <value> maximum <value>
    Every physical interface has an input FIFO queue. The router uses this queue to buffer packets
    going to the route processor. Usually these packets include control plane packets, such as Layer 2
    keepalives (such as HDLC/PPP keepalives), IGP packets (OSPF, ISIS, etc.), and BGP packets.
    The routing protocol packets are classified based on their default IP precedence of 6 or higher. In
    addition to control plane packets, the input queue holds other packets destined to the route
    processor, such as packets with an expired TTL, wrong header length, wrong checksum, or non-
    existent local UDP port numbers. The latter packets are malformed, in the sense that they require
    the router to generate an ICMP error message in response. The input queue holds packets that are
    to be process-switched, which is uncommon on modern CEF-based systems. SPD input queueing
    is desirable for a number of reasons. The first is for control plane security. Its possible to block the
    routers input queue with a high rate of malformed packets, which effectively blocks legitimate
    routing traffic. The result is a control plane DoS against the router. The next reason is for layer 2
    keepalive, IGP, and BGP traffic separation. Large BGP tables generate considerably large updates.
    These updates could potentially block the input queue for some time, preventing the router from

    receiving keepalive packets or IGP updates. This may result in IGP adjacency flapping or layer 2
    link loss reports. The third reason is due to issues with process switching. If for some reason CEF
    is disabled, the IP INPUT process can result in regular IP traffic blocking the input queues, causing
    a loss of the control plane. SPD prevents this through input drops. So how does SPD work? First,
    the input queue consists of two parts. One part is the regular hold queue, which is visible through
    the show interface command, and the other part is the priority queue, which stores routing updates
    and keepalives. The processor serves the priority queue first until it is empty, and then switches to
    the regular hold-queue. Additionally, the priority queue consists of two parts, the SPD Headroom
    and the SPD Extended Headroom. The Extended Headroom queue is emptied before the SPD
    Headroom in a priority manner. Specifically, input packets are queued as follows:
    Layer 2 keepalives and IGP packets go to the SPD Extended Headroom. If there is no space
    available in the SPD Extended Headroom, packets go to the SPD Headroom. As a last resort, if
    both the Extended Headroom and Headroom are full, these packets go to the regular Hold Queue.
    BGP updates go directly to SPD Headroom. If the SPD Headroom is full, BGP packets hit the Hold
    Queue. All other IP packets (malformed or process-switched) go to the Hold Queue. The result is
    that L2 keepalive/IGP packets are serviced first, BGP next, and other packets last.
    Although the Hold Queue is FIFO, it uses the RED drop procedure. Two thresholds (Minimum and
    Maximum) set for hold queue define the random drop behavior. If the current hold queue length is
    less than the Minimum Threshold, packets are never dropped. If the queue length grows beyond
    Minimum, but is less than Maximum, every new packet is randomly dropped with the probability
    proportional to queue depth:
    Prob = (QueueDepth MinimumThresh)/(MaximumThresh-MinimumThresh)
    If the queue depth is above Maximum Threshold, SPD drops every new incoming packet.
    Note the important fact that SPD thresholds are global for all queues. SPD computes Min and Max
    thresholds based on the lowest hold-queue size in the system. Therefore, if you set the hold queue
    size lower on some interfaces, you will affect all other interface drop thresholds.
    Finally, SPD has two modes of operation: normal and aggressive. They differ in their treatment of
    malformed packets (packets that require the router to generate ICMP responses). When SPD is set
    for normal mode (the default), it treats malformed packets as it would all regular IP packets; it
    places them in the hold queue, subject to random drop. However, in aggressive mode, the
    malformed packets are dropped as soon as the hold queue grows above the minimum threshold.
    Effectively, SPD Aggressive mode replaces the random drop for malformed packets with an
    unconditional drop. SPD configuration can be configured and verified as follows.
    R1:
    R1#
    R1#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    R1(config)#spd extended-headroom 150
    R1(config)#spd headroom 120
    R1(config)#ip spd mode aggressive
    R1(config)#ip spd queue threshold minimum 75 maximum 150
    R1(config)#int g0/0
    R1(config-if)# hold-queue 150 in
    R1(config-if)#
    To verify, we can check the input queue size and the SPD settings using the following two show
    commands.
    R1#show interface GigabitEthernet 0/0
    GigabitEthernet0/0 is up, line protocol is up
    Hardware is CN Gigabit Ethernet, address is 0007.7d3d.94e8 (bia 0007.7d3d.94e8)
    Internet address is 136.1.13.1/24
    MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
    reliability 255/255, txload 1/255, rxload 248/255
    Encapsulation ARPA, loopback not set
    Keepalive set (10 sec)
    Full Duplex, 100Mbps, media type is RJ45
    output flow-control is unsupported, input flow-control is unsupported
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input 00:00:00, output 00:00:01, output hang never
    Last clearing of "show interface" counters never
    Input queue: 57/150/76/34987 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    <output omitted>
    R1#show ip spd
    Current mode: normal.
    Queue min/max thresholds: 75/150, Headroom: 120, Extended Headroom: 150
    IP normal queue: 28, priority queue: 0.
    SPD special drop mode: aggressively drop bad packets
    R1#

    Potrebbero piacerti anche