[c-nsp] CoPP
Rodney Dunn
rodunn at cisco.com
Thu Apr 14 08:30:48 EDT 2005
I get asked this question a lot about how to protect the
box. The best security IMO in this area. You block at
the edges and as you move to the devices you block as soon
as possible inside the device.
Then as you move "up the stack" if you will towards the RP
you hopefully become more granular about what you let through
and therefore reduce the traffic that can get to the RP.
You will see more and more things coming out that will
help the user do this in a more scalable way.
ie: like the 65xx that has some rate limiting capability in
hardware
I did some poking around here and thought there was some
pretty good stuff.
http://www.cisco.com/security
Rodney
On Tue, Apr 12, 2005 at 03:36:41PM -0500, Mike Bernico wrote:
>
> CoPP is definitely a good thing, but it is not a silver bullet. We've
> had some luck with it, but if you throw enough traffic at the box it
> will still die. It does tend to make it hard to kill however, and we
> prefer it over rACLs where available.
>
> 12.0.30S on the GSR is supposed to have distributed CoPP, should be even
> better.
>
> Mike Bernico
>
>
> -----Original Message-----
> From: Roger Weeks [mailto:rjw at mcn.org]
> Sent: Tuesday, April 12, 2005 11:48 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] CoPP
>
> This is very interesting, I haven't looked at CoPP before but as an ISP
>
> it sounds like something we should be looking at.
>
> Is anyone else using CoPP in their infrastructure? I'd like to hear
> about your experiences.
>
> Roger Weeks
>
> On Apr 12, 2005, at 9:00 AM, cisco-nsp-request at puck.nether.net wrote:
>
> > Date: Tue, 12 Apr 2005 10:16:44 -0400
> > From: Rodney Dunn <rodunn at cisco.com>
> > Subject: Re: [c-nsp] Filtering on sender IP#
> > To: Mikael Carlander <rip at kth.se>
> > Cc: cisco-nsp at puck.nether.net
> >
> > You can do it per-interface or globally via CoPP.
> >
> > http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/
> > products_feature_guide09186a00801afad4.html
> >
> > We are working very hard to try and push the filtering down in
> > hardware with CoPP and there will be more developments in this area as
>
> > we move forward so it would be a good idea to become familar with this
>
> > conept.
> >
> --
> Roger J. Weeks
> Systems & Network Administrator
> Mendocino Community Network
> Now offering DSL in Northern California
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list