[c-nsp] ARP flooding prevention
Peter Rathlev
peter at rathlev.dk
Fri Feb 1 07:05:21 EST 2008
Agreed, CoPP with a service-policy and maybe also using the "mls
rate-limit unicast cef glean <pps>" and so on.
Just remember that to limit these things is to limit the services that
the supervisor is meant to deliver. You can easily put yourself in a
situation where the DoS scenario becomes a problem earlier because of
your rate-limiting, and then it's irrelevant that your supervisor is
only at 50% cpu.
Look at this for CoPP for Sup720:
http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b.html
http://tinyurl.com/9sutt
And for MLS rate-limiting for Sup720:
http://www.cisco.com/en/US/customer/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd802ca5d6.html
http://tinyurl.com/297d48
Regards,
Peter
On Fri, 2008-02-01 at 11:41 +0100, David Granzer wrote:
> On Feb 1, 2008 11:25 AM, Michel Renfer <michel.renfer at finecom.ch> wrote:
> > Hi All!
> >
> > What is the best way to avoid SUP stress conditions due to
> > ARP floods on 7600 plattform? (76xx facing to an IX as an
> > example)?
>
> Control Plane Policing (CoPP) and rate limit arp traffic.
>
> David
>
> >
> > Any tips/ hints?
> >
> > cheers,
> > michel
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list