[nsp] AS5300 loosing memory
Gert Doering
gert at greenie.muc.de
Sat Aug 23 11:02:13 EDT 2003
Hi,
On Fri, Aug 22, 2003 at 07:12:07PM -0400, Jason Houx wrote:
> Well its either break path MTU or reboot and kick ppl off-line while the
> unit reloads - personally i would rather put AS5350's and AS5400s in the
> mix because those have been just fine. These AS5248's are getting their
> memory fragged by all the scanning from just hosts inside of our network.
> If you have a suggestion I would love to hear it.
Filter on *icmp echo* instead of "all ICMP".
> I suppose your firewall turns its head when ICMP bangs on its front door?
Filtering ICMP does *nothing* for security, but breaks lots of things.
Yes, I know that some books and some people recommend "filtering all ICMP
is necessary for security", but they have no clue (*). They are selling snake
oil.
(*) *If* you're worried about ICMP, you need to filter very selectively
for those ICMPs that can actually do harm on incorrectly implemented
hosts, like ICMP redirects. If you have proper anti-spoofing filters in
place, and your hosts follow the "host requirements" RFC, ICMP redirects
from an external source can *not* do any harm.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list