[cisco-nas] AS5200s and the new DoS

Mark Johnson mljohnso at cisco.com
Fri Jul 18 19:54:08 EDT 2003


At 05:57 PM 7/18/2003 -0400, jlewis at lewis.org wrote:
>It looks like we'll finally have to abandon 11.3AA since there's no
>scheduled fixed version in that train.  We have a bunch of them...the
>older ones have 8192K/4096K RAM, 8mb Flash and run
>c5200-is-l.113-11a.AA.bin.  Last I looked, I don't think there was a 12.x
>version with comparable features that would fit in 8mb RAM / 8mb Flash.
>
>11.3AA's not covered in go/fn, so it's hard to comparison shop for a
>replacement IOS.  IIRC, there was a <8mb 12.0 release (maybe 12.0 mainline
>IP) that had most of the functionality of 11.3AA, minus all the show
>caller commands.
>
>I don't suppose there's any chance of a fix in 11.3AA? :)

You can ask TAC to submit a request for a special build, try your best
to justify it to cisco (memory, # of boxes, etc), and see if it gets
approved (handled on a case by case basis).

>If the alternative workaround is access-lists on the ethernet and every
>virtual-access interface, I'm not sure these boxes have the CPU for all
>those ACLs.

Try this to relieve some of the load:

access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
      !--- insert any other previously applied ACL entries here
      !--- you must permit other protocols through to allow normal
      !--- traffic -- previously defined permit lists will work
      !--- or you may use the permit ip any any shown here
access-list 101 permit ip any any

Most of your hits should be for TCP/UDP, so the entire access-list won't
have to be traversed for these packets.

mark



More information about the cisco-nas mailing list