selective packet discard

Upload: nandan-bisht

Post on 15-Oct-2015

7 views

Category:

Documents


0 download

DESCRIPTION

Selective Packet Discard

TRANSCRIPT

  • CCIE Security V4 Technology Labs Section 1:System Hardening and Availability

    Selective Packet Discard

    Last updated: May 3, 2013

    Task

    Load the configuration files for this task.

    Enable Selective Packet Discard on R1 in aggressive mode.

    Increase R1s input queue size on its link to VLAN 13 to twice the default.

    Increase the amount of the memory headroom for IGP packets to 150 buffers.

    Set the headroom for BGP packets should to 120 packets.

    Start dropping low-priority packets randomly when the input queue is 50% full.

    Explanation and Verification

    Selective Packet Discard is the queue management technique for interface input queueing. The

    SPD commands are hidden in the IOS parser, but you can see them in the running configuration

    after you enter them. By default, SPD is enabled in Normal mode. The following is the list of SPD

    commands:

    spd enable

    spd headroom

    spd extended-headroom

    ip spd mode aggressive

    ip spd queue threshold minimum maximum

    Every physical interface has an input FIFO queue. The router uses this queue to buffer packets

    going to the route processor. Usually these packets include control plane packets, such as Layer 2

    keepalives (such as HDLC/PPP keepalives), IGP packets (OSPF, ISIS, etc.), and BGP packets.

    The routing protocol packets are classified based on their default IP precedence of 6 or higher. In

    addition to control plane packets, the input queue holds other packets destined to the route

    processor, such as packets with an expired TTL, wrong header length, wrong checksum, or non-

    existent local UDP port numbers. The latter packets are malformed, in the sense that they require

    the router to generate an ICMP error message in response. The input queue holds packets that are

    to be process-switched, which is uncommon on modern CEF-based systems. SPD input queueing

    is desirable for a number of reasons. The first is for control plane security. Its possible to block the

    routers input queue with a high rate of malformed packets, which effectively blocks legitimate

    routing traffic. The result is a control plane DoS against the router. The next reason is for layer 2

    keepalive, IGP, and BGP traffic separation. Large BGP tables generate considerably large updates.

    These updates could potentially block the input queue for some time, preventing the router from

  • receiving keepalive packets or IGP updates. This may result in IGP adjacency flapping or layer 2

    link loss reports. The third reason is due to issues with process switching. If for some reason CEF

    is disabled, the IP INPUT process can result in regular IP traffic blocking the input queues, causing

    a loss of the control plane. SPD prevents this through input drops. So how does SPD work? First,

    the input queue consists of two parts. One part is the regular hold queue, which is visible through

    the show interface command, and the other part is the priority queue, which stores routing updates

    and keepalives. The processor serves the priority queue first until it is empty, and then switches to

    the regular hold-queue. Additionally, the priority queue consists of two parts, the SPD Headroom

    and the SPD Extended Headroom. The Extended Headroom queue is emptied before the SPD

    Headroom in a priority manner. Specifically, input packets are queued as follows:

    Layer 2 keepalives and IGP packets go to the SPD Extended Headroom. If there is no space

    available in the SPD Extended Headroom, packets go to the SPD Headroom. As a last resort, if

    both the Extended Headroom and Headroom are full, these packets go to the regular Hold Queue.

    BGP updates go directly to SPD Headroom. If the SPD Headroom is full, BGP packets hit the Hold

    Queue. All other IP packets (malformed or process-switched) go to the Hold Queue. The result is

    that L2 keepalive/IGP packets are serviced first, BGP next, and other packets last.

    Although the Hold Queue is FIFO, it uses the RED drop procedure. Two thresholds (Minimum and

    Maximum) set for hold queue define the random drop behavior. If the current hold queue length is

    less than the Minimum Threshold, packets are never dropped. If the queue length grows beyond

    Minimum, but is less than Maximum, every new packet is randomly dropped with the probability

    proportional to queue depth:

    Prob = (QueueDepth MinimumThresh)/(MaximumThresh-MinimumThresh)

    If the queue depth is above Maximum Threshold, SPD drops every new incoming packet.

    Note the important fact that SPD thresholds are global for all queues. SPD computes Min and Max

    thresholds based on the lowest hold-queue size in the system. Therefore, if you set the hold queue

    size lower on some interfaces, you will affect all other interface drop thresholds.

    Finally, SPD has two modes of operation: normal and aggressive. They differ in their treatment of

    malformed packets (packets that require the router to generate ICMP responses). When SPD is set

    for normal mode (the default), it treats malformed packets as it would all regular IP packets; it

    places them in the hold queue, subject to random drop. However, in aggressive mode, the

    malformed packets are dropped as soon as the hold queue grows above the minimum threshold.

    Effectively, SPD Aggressive mode replaces the random drop for malformed packets with an

    unconditional drop. SPD configuration can be configured and verified as follows.

    R1:

    R1#

    R1#conf t

    Enter configuration commands, one per line. End with CNTL/Z.

    R1(config)#spd extended-headroom 150

    R1(config)#spd headroom 120

    R1(config)#ip spd mode aggressive

    R1(config)#ip spd queue threshold minimum 75 maximum 150

    R1(config)#int g0/0

    R1(config-if)# hold-queue 150 in

    R1(config-if)#

  • To verify, we can check the input queue size and the SPD settings using the following two show

    commands.

    R1#show interface GigabitEthernet 0/0

    GigabitEthernet0/0 is up, line protocol is up

    Hardware is CN Gigabit Ethernet, address is 0007.7d3d.94e8 (bia 0007.7d3d.94e8)

    Internet address is 136.1.13.1/24

    MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

    reliability 255/255, txload 1/255, rxload 248/255

    Encapsulation ARPA, loopback not set

    Keepalive set (10 sec)

    Full Duplex, 100Mbps, media type is RJ45

    output flow-control is unsupported, input flow-control is unsupported

    ARP type: ARPA, ARP Timeout 04:00:00

    Last input 00:00:00, output 00:00:01, output hang never

    Last clearing of "show interface" counters never

    Input queue: 57/150/76/34987 (size/max/drops/flushes); Total output drops: 0

    Queueing strategy: fifo

    R1#show ip spd

    Current mode: normal.

    Queue min/max thresholds: 75/150, Headroom: 120, Extended Headroom: 150

    IP normal queue: 28, priority queue: 0.

    SPD special drop mode: aggressively drop bad packets

    R1#