[c-nsp] control plane policing feature
Saku Ytti
saku+cisco-nsp at ytti.fi
Sun Dec 25 08:23:47 EST 2005
On (2005-12-25 12:43 +0100), Gert Doering wrote:
> Can you do it the other way round, like "police ip any any" first, and
> then leave all non-IP things in the "match-default" class, with high
> enough bps values?
Yup, but then the connected customer can DoS you with CLNS packets (I'm
assuming IOS accepts those even if CLNS is not configured, TAC agreed
with this assumptiation). Dunno which is greater risk, run unsupported
but working (in VXR at least) configuration or leave this attack-vector
open.
> (Merry christmas, by the way. However politically incorrect it might be)
:>
--
++ytti
More information about the cisco-nsp
mailing list