Service TCP Keepalives and Slective Packet Discard

CPPr includes the following additional control plane protection features:

• The port-filtering feature provides for policing/dropping of packets going to closed or nonlistening TCP/UDP ports 

   TCP keepalives

Router1# config term
Router1(config)# service tcp-keepalives-in
Router1(config)# service tcp-keepalives-out
Router1(config)# end

•   Queue thresholding limits the number of packets for a specified protocol that will be allowed in the control plane IP input queue

 Selective Packet Discard (SPD) is a mechanism to manage the process level input queues on the Route Processor (RP). The goal of SPD is to provide priority to routing protocol packets and other important traffic control Layer 2 keepalives during periods of process level queue congestion. 

 

Layer 2 keepalives and IGP packets go to the SPD Extended Headroom. If there
is no space available in the SPD Extended Headroom, packets go to the SPD
Headroom. As a last resort, if both the Extended Headroom and Headroom are
full, these packets go to the regular Hold Queue. BGP updates go directly to
SPD Headroom. If the SPD Headroom is full, BGP packets hit the Hold Queue.
All other IP packets (malformed or process-switched) go to the Hold Queue. The
result is that L2 Keepalive/IGP packets are serviced first, BGP next, and other
packets last.

• Input queue

 The input queue is maintained per hardware interface, shared amongst all subinterfaces.
 The default input queue size is 75 and is configurable per interface using the hold-queue [size] in interface configuration command. The number of packets in the input queue can be seen in the "input queue" field in the show interfaces command. 

• SPD headroom

 The default SPD headroom size is 100(1000 in new IOS version) and is configurable using the command spd headroom.
 Its current level can be seen in the output of the commands show spd or show ip spd

• Extended SPD Headroom

    The default Extended SPD headroom size is 10 and is configurable using the spd extended [size] command, and its current level can be seen from the output of the show spd or show ip spd command

•   SPD State Check

The general packet queue can be in three states and, as such, the low priority packets may be serviced differently:

• NORMAL: queue size <= min
  
• RANDOM DROP: min <= queue size <= max
  
• FULL DROP: max <= queue size
   

The default min-threshold is 73 and is configurable using command

ip spd queue min-threshold

The default max-threshold is 74 and is configurable using command

 ip spd queue max-threshold  

•  Aggressive mode

 SPD can be configured for two different modes: normal (default) and aggressive. The only difference between the two is how the router accounts for invalid IP packets (invalid checksum, incorrect version, incorrect header length, incorrect packet length). Malformed IP packets are dropped by SPD when we are in aggessive mode and in the Random drop state. Aggressive mode can be configured using the command. 

ip spd mode aggressive