Cisco ASR 9000 Series Configuration Manual page 226

Excessive Punt Flow Trap
Even when the Excessive Punt Flow Trap feature is not enabled, the "bad actors" can affect services for
Note
only other devices; they cannot bring down the router.
The Excessive Punt Flow Trap feature is supported on both subscriber interfaces, and non-subscriber interfaces
such as L2 and L3 VLAN sub-interfaces and bundle virtual interfaces (BVIs). If the source that floods the
punt queue with packets is a device with an interface handle, then all punts from that bad actor interface are
penalty policed. The default penalty rate, for each protocol, is 10 protocols per second (pps). Otherwise, if
the source is a device that does not have an interface handle, then all packets from this bad actor are dropped.
In the 4.2.x releases, the Excessive Punt Flow Trap feature was called as "Subscriber Control Plane Policing
Note
(CoPP)" that only operated on subscriber interfaces.
Functioning of Excessive Punt Flow Trap Feature
The Excessive Punt Flow Trap feature monitors control packet traffic arriving from physical interfaces,
sub-interfaces, BVI, and subscriber interfaces. It divides interfaces into two categories:
• "Parent" interfaces, which can have other interfaces under them.
• "Non-parent" interfaces, which have no interfaces under them.
A physical interface is always a parent interface because it has VLAN sub-interfaces. A BVI is always a parent
interface because it is the "parent" of L2 interfaces. An L3 VLAN sub-interface can either be a parent or a
non-parent interface. If the VLAN sub-interface is enabled for subscribers, then it is a parent interface, otherwise
it is a non-parent interface. A subscriber interface (IPoE or PPPoE) is always a non-parent interface.
When a flow is trapped, the Excessive Punt Flow Trap feature tries to identify the source of the flow. The
first thing it determines is from which interface the flow came. If this interface is not a "parent" interface,
then the feature assumes that it is the end-point source of the flow and penalty policing is applied. If the trapped
interface is a "parent" interface, then instead of penalizing the entire interface (which would penalize all the
interfaces under it), this feature takes the source MAC address of the bad flow and drops all packets from the
MAC address under the parent. Due to platform limitation, the penalty policer cannot be applied on a MAC
address; therefore all packets are dropped.
For more information about enabling the Excessive Punt Flow Trap feature, see
Flow Trap Processing, on page
The Excessive Punt Flow Trap feature monitors all punt traffic. There is no way to remove a particular
Note
interface from the initial monitoring, nor can an interface be prevented from being flagged as bad if it is
the source of excessive flows.
Bad actors are policed for each protocol. The protocols that are supported by the Excessive Punt Flow Trap
feature are Broadcast, Multicast, ARP, DHCP, PPP, PPPoE, ICMP, IGMP, L2TP and IP (covers many types
of L3 based punts, both IPv4 and IPv6). Each protocol has a static punt rate and a penalty rate. For example,
the sum total of all ICMP punts from remote devices is policed at 1500 packets per second (pps) to the router's
CPU. If one remote device sends an excessive rate of ICMP traffic and is trapped, then ICMP traffic from
that bad actor is policed at 10 pps. The remaining (non-bad) remote devices continue to use the static 1500
pps queue for ICMP.
Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide,
Release 4.3.x
214
215.
Configuring Subscriber Features
Enabling Excessive Punt
OL-28375-03