[c-nsp] CoPP best practical example on 6500
Jared Mauch
jared at puck.nether.net
Thu Oct 5 02:25:52 EDT 2006
On Thu, Oct 05, 2006 at 08:05:45AM +0300, Saku Ytti wrote:
> On (2006-10-04 15:51 -0400), Jared Mauch wrote:
>
> > and hope you don't need to match ISIS/CLNS frames.
> > This doesn't seem to work :(
>
> How I've done it is penultimate rule of catch all IP, and drop even
> conforming traffic and then default policy will allow rest.
> Accompanied with probably even too strict mls qos/rate-limit rules.
>
> At least everything that came into my mind that I could throw at
> it made it survive, including BGP SYN attack from trusted eBGP
> neighbors, ARP attack, STP attack (will hurt you bad, even
> in L3-only port and so forth).
there's other bad things that can happen that i'm waiting
for cisco to provide a solution to that you can't police with CoPP.
Helping with the ISIS/CLNS part for now would be ideal. It'd make
my life easier.
there's just a lot of "hidden" stuff that is on by default.
Cisco software folks haven't quite figured out how to allow a comprehensive
inventory of it as well as ways to sufficently turn off things..
- jared
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the cisco-nsp
mailing list