[c-nsp] CoPP best practical example on 6500
Saku Ytti
saku+cisco-nsp at ytti.fi
Thu Oct 5 01:05:45 EDT 2006
On (2006-10-04 15:51 -0400), Jared Mauch wrote:
> and hope you don't need to match ISIS/CLNS frames.
> This doesn't seem to work :(
How I've done it is penultimate rule of catch all IP, and drop even
conforming traffic and then default policy will allow rest.
Accompanied with probably even too strict mls qos/rate-limit rules.
At least everything that came into my mind that I could throw at
it made it survive, including BGP SYN attack from trusted eBGP
neighbors, ARP attack, STP attack (will hurt you bad, even
in L3-only port and so forth).
--
++ytti
More information about the cisco-nsp
mailing list