[c-nsp] Control Plane Policing on 7206VXR/NPE-G2.. - Arrgh a crash..
Howard Leadmon
howard at leadmon.net
Sat Dec 15 09:26:55 EST 2007
Sadly enough we have some idiots threatening some DDoS attacks, and I was
trying to go though and do what I could to make things as bullet proof as
possible. Not that it's possible to stop all attempts, but figured at least
covering my bases it would help some.
So I set out building some cpp ACL's and policy maps to apply, and then
installed them on my 26xx router here at my house to see how they worked. So
far, so good, looks to be live. So then I go and load the stuff on 7206 in
the datacenter. Seemed OK, but for some reason one of the BGP sessions
wouldn't come up, so I tried to make a change in an ACL on the CP.
Here was the start of trouble, if I tried to update anything related to the
policy map, the router would crash. After realizing that, I figured heck with
it, I would just pull the cpp from the cp config. Nice thought, trying to
simply do a 'no service-policy input copp-policy' on the control plane of the
router would crash it hard.
I am not sure if anyone has run into this, it looks like a software bug as it
is rebooting with a SegV on 0x0:
System was restarted by error - a SegV exception, PC 0x0 at 08:20:26 EST Sat
Dec 15 2007
7200 Software (C7200P-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE
(fc2)
I guess it's possible I did something totally wrong in the cpp, but heck you
wouldn't think removing the cp policy from the router would crash it.
Has anyone used a cpp on the 7606/NPE-G2? If so, did it work OK? Heck and
if it worked, care to share what you have done, so maybe I can implement
something that actually works and doesn't crash everything. I guess for now
I'll just run it without one..
---
Howard Leadmon
More information about the cisco-nsp
mailing list