Our experience has been that although the command is accepted by the parser, a very large number for the rate limit doesn’t seem to be programmed. It's important to do the show lpts pifib hardware police | inc SNMP to verify the rate limit was programmed as you desire. Note the number will be slightly different than you specify. This command also lets you see how many packets lpts dropped before hitting the snmp process. I am guessing the default 523 rate is still there dropping snmp and the delay is due to retires, if lpts is the cause of your issue.
Tnx Chris From: cisco-nsp <[email protected]> on behalf of Drew Weaver via cisco-nsp <[email protected]> Date: Friday, August 8, 2025 at 9:05 AM To: 'Saku Ytti' <[email protected]> Cc: '[email protected]' <[email protected]> Subject: Re: [c-nsp] IOS XR LPTS is it possible to whitelist an IP address [Caution: External Email] Hey, I assumed that the reason the responses took 5.7 seconds when the requests came in over a non RP MGMT interface is because most of the requests were getting caught by the policer and timing out. So I assumed that there was a way to specify that SNMP traffic coming from $NMS_IP shouldn't be considered 'undesirable' or 'low priority' [which is what we used to call these things in CoPP on IOS and still do on NXOS]. So I configured it like this: lpts pifib hardware police flow snmp rate 4294967295 ! And the condition still exists so I was obviously wrong. I also configured this: control-plane management-plane inband interface all allow snmp peer address ipv4 $NMS_IP_address and the condition still exists so I was obviously wrong. I have no problem being wrong it happens all the time. Thanks, -Drew -----Original Message----- From: Saku Ytti <[email protected]> Sent: Friday, August 8, 2025 4:14 AM To: Drew Weaver <[email protected]> Cc: [email protected] Subject: Re: [c-nsp] IOS XR LPTS is it possible to whitelist an IP address I don't think so. But I'm not 100% confident. I don't see a particular problem in the approach you chose, where you change the policer. Why are you looking into whitelisting specific IPs rather than just tune the policer? LPTS rules are dynamically generated, there isn't "any/any -> SNMP permit" on the box. The policer should not be hit by an unknown IP address (provided you didn't explicitly allow this in your inband config), only your configured SNMP addresses should have access to the policer. You can review what packets can reach the SNMP policer with 'show lpts pifib entry location X'. On Thu, 7 Aug 2025 at 16:26, Drew Weaver via cisco-nsp <[email protected]> wrote: > > Okay so I've been having an issue where 60% of our SNMP polls are being > gleefully dumped by an ASR9902 running IOS XR 24.4.2 due to the default > hidden LPTS policer configuration (that you can't see). > > I'm not really here to argue about the design I'm mostly just depressed by > all of that discussion at this point. > > What I really need to know is if it is possible to simply allow an IP address > to bypass the policer for SNMP traffic? > > I've now asked TAC this question directly 5 times and they won't answer it. > > Its funny that simply using the mgmteth ports allow you to bypass all of > these very important and very demure policers that need to exist otherwise > the box will explode but that there doesn't appear to be any way to simply > apply that same level of recklessness to inline traffic. > > Thanks if anyone knows. > Lol > -Drew > > > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_m > ailman_listinfo_cisco-2Dnsp&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A > _CdpgnVfiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=RUrtSkTBv > 0Xm8Sd4i9O6btjWUqWsADXynRUjfD5siWsqz1mmyaLMxhEiTuEaRRTN&s=oGFZlMI24Pva > 1xvYiUBL8T56oqF9J7UnDCXNnq03PzA&e= > archive at > https://urldefense.proofpoint.com/v2/url?u=http-3A__puck.nether.net_pi > permail_cisco-2Dnsp_&d=DwIFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnV > fiiMM&r=OPufM5oSy-PFpzfoijO_w76wskMALE1o4LtA3tMGmuw&m=RUrtSkTBv0Xm8Sd4 > i9O6btjWUqWsADXynRUjfD5siWsqz1mmyaLMxhEiTuEaRRTN&s=i-8GJFn5i4OncLjB5Zq > A4kUtLlv_hB-fIphf6SsjZG4&e= -- ++ytti _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
