[nsp] AS5300 loosing memory

Gert Doering gert at greenie.muc.de
Sat Aug 23 11:02:13 EDT 2003


On Fri, Aug 22, 2003 at 07:12:07PM -0400, Jason Houx wrote:
> Well its either break path MTU or reboot and kick ppl off-line while the
> unit reloads - personally i would rather put AS5350's and AS5400s in the
> mix because those have been just fine.  These AS5248's are getting their
> memory fragged by all the scanning from just hosts inside of our network.  
> If you have a suggestion I would love to hear it.  

Filter on *icmp echo* instead of "all ICMP".

> I suppose your firewall turns its head when ICMP bangs on its front door?

Filtering ICMP does *nothing* for security, but breaks lots of things.

Yes, I know that some books and some people recommend "filtering all ICMP
is necessary for security", but they have no clue (*).  They are selling snake 

(*) *If* you're worried about ICMP, you need to filter very selectively
for those ICMPs that can actually do harm on incorrectly implemented 
hosts, like ICMP redirects.  If you have proper anti-spoofing filters in
place, and your hosts follow the "host requirements" RFC, ICMP redirects
from an external source can *not* do any harm.

USENET is *not* the non-clickable part of WWW!
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de

More information about the cisco-nsp mailing list