As a dynamic services data trigger capture-sap potentially forward all valid Ethernet frames for authentication to the control plane, control plane protection mechanisms are required to prevent overload conditions.
capture-sap data trigger packet throttling (frames dropped at IOM)
The number of data trigger packets sent to the control plane via the ingress forwarding complex is rate-limited based on a hash using the sap ID, outer tag, and inner tag as the key. The per-hash result is that a maximum of 1 frame is forwarded to the control plane.
This throttling mechanism is always enabled and has no configuration options. It guarantees fairness between different encapsulation while limiting the frame rate sent to the control plane.
Blocking VLANs from authenticating (frames dropped at the IOM)
This can be achieved by applying ingress MAC filters of type VID with the capture-sap command. In the example below, frames with encap 1/1/4:1214.20 is dropped by the VID filter.
configure
service
vpls <service-id> customer <customer-id>
sap 1/1/4:1214.* capture-sap
dynamic-services
dynamic-services-policy <dynsvc-policy-name>
no shutdown
exit
ingress
filter mac 10
exit
exit
exit
exit
filter
mac-filter 10 create
default-action forward
type vid
entry 10 create
match frame-type ethernet_II
outer-tag 20 4095
exit
action
drop
exit
exit
exit
exit
Dynamic service data trigger rate limiting in the control plane (frames dropped at the CPM)
An overall rate limit of dynamic service data triggers limits the number of frames that come from the different IOMs to an acceptable rate for the control plane to handle.
Control plane rate-limiting for dynamic service data triggers is always enabled and has no configuration options.
Using a lockout mechanism to protect the RADIUS infrastructure from overload because of permanent failing authentications of Python script errors.
The existing Enhanced Subscriber Management (ESM) host lockout mechanism can be enabled on a dynamic services data trigger capture-sap.
The dynamic services data trigger sap-id is used as a key for the host-lockout context. A host-lockout context is created whenever a data trigger is deleted:
Authentication failures: RADIUS Access Reject, RADIUS Access-Accept with a wrong or missing data trigger SAP ID, timeout, local authentication lookup failure, local authentication returns a wrong or no data-trigger sap-id.
No data trigger SAP created within the configured dynamic services access-accept setup timeout (30 seconds by default):
configure service dynamic-services timers setup-timeout access-accept <timeout>
A dynamic services Python script failure
A clear command on a data trigger:
clear service dynamic-services data-trigger sap <sap-id>
A tear down of a data trigger initiated via a CoA or Disconnect Message
The last two bullets are tear down operations that occur infrequently and should not result in an actual lockout; only the host lockout context is created and should disappear again when the lockout-reset-time expires. This is configured in the host-lockout-policy:
configure subscriber-mgmt host-lockout-policy <policy-name> lockout-reset-time
<seconds> (default 60 seconds).
To enable host lockout for dynamic services data trigger, configure a host-lockout-policy at the dynamic services data trigger capture-sap:
configure service
vpls <service-id> customer <customer-id>
sap <sap-id> capture-sap
dynamic-services
dynamic-services-policy <dynsvc-policy-name>
no shutdown
exit
host-lockout-policy <policy-name>
exit
exit
The host-lockout-policy is configured in the config>subscr-mgmt CLI context. For data-triggered dynamic services, the host-key in the policy must be set to all which is achieved with the no host-key CLI command (default). Configuring the host key to mac in a host lockout policy associated with a dynamic service data trigger capture-sap is a configuration error and results in a faulty host lockout behavior.
Use the following show command to display active dynamic services data trigger capture SAP lockouts (the capture SAP must be used as the sap-id):
# show subscriber-mgmt host-lockout-policy "host-lockout-1" all sap 1/1/4:1214.*
===============================================================================
Host Lockout Policy "host-lockout-1"
===============================================================================
Description Host lockout policy
Last Mgmt Change 01/25/2016 16:37:47
Lockout time min 10
Lockout time max 3600
Lockout reset time 60
Max lockout hosts 100
Host key all
-------------------------------------------------------------------------------
Active Lockouts for SAP: 1/1/4:1214.*
===============================================================================
circuit-id/ elapsed current elapsed next nr
mac/ reset lock lock lock of
remote-id time (s) time (s) time (s) time (s) lockouts
-------------------------------------------------------------------------------
:1214.101 0 10 1 20 1
-------------------------------------------------------------------------------
Nr of active lockouts 1
Nr of lockouts in grace period 0
Nr of total lockouts: 1
-------------------------------------------------------------------------------
Totals for Host Lockout Policy "host-lockout-1"
-------------------------------------------------------------------------------
Nr of active lockouts 1
Nr of lockouts in grace period 0
Nr of total lockouts: 1
===============================================================================
Use the following command to clear active dynamic services data trigger capture SAP lockouts (the capture SAP must be used as the sap-id):
# clear subscriber-mgmt host-lockout-policy [policy <host-lockout-policy-
name>] <lockout-state>
# clear subscriber-mgmt host-lockout-policy sap <sap-id> [lockout-state]
Use the cpu-protection and dist-cpu-protection commands on the platforms that support it.
When using the cpu-protection command, a cpu-protection policy-id is needed to apply on the capture SAP.
configure
system
security
cpu-protection
policy 200 create
overall-rate 100
out-profile-rate 50
exit
exit
exit
exit
service
vpls <service-id> customer <customer-id>
sap 1/1/1:*.* capture-sap create
cpu-protection 200
dynamic-services
dynamic-services-policy "dynServPolicy"
no shutdown
exit
no shutdown
exit
exit
exit
When using the dist-cpu-protection command, a dist-cpu-protection policy-id is needed to apply on the capture SAP.
configure
system
security
dist-cpu-protection
policy "distCpuProt" create
static-policer "dcpuStatPol" create
rate packets 50 within 1
exceed-action discard
detection-time 5
exit
protocol all-unspecified create
enforcement static "dcpuStatPol"
exit
exit
exit
exit
exit
service
vpls <service-id> customer <customer-id>
sap 1/1/1:*.* capture-sap create
dynamic-services
dynamic-services-policy "dynServPolicy"
no shutdown
exit
dist-cpu-protection "distCpuProt"
no shutdown
exit
exit
exit