[c-nsp] Control Plane Policing on 7206VXR/NPE-G2.. - Arrgha crash..

Phil Bedard philxor at gmail.com
Mon Dec 17 10:08:24 EST 2007 

Storm control and aggregate policers are 6500/7600-only mechanisms.   
To the original poster, it does sound like a CPP bug on the VXR, which  
I guess wouldn't surprise me all that much.  Doing CPP on the VXR I  
would guess is only marginally (if any) better than not doing it all,  
since it's not a distributed platform.  I could be wrong however.   I  
would try to identify the possible attack vectors and use policing/ 
ACLs on the ingress interfaces to mitigate it, or put protections on  
the VXRs upstream neighbor, if possible.   Unfortunately if someone  
really wants to take down a VXR, it's not all that difficult to do so.

Phil


On Dec 17, 2007, at 7:38 AM, Chris wrote:

> Howard,
>
> I think you *can* do CoPP on a VXR but you'll need 12.2(18)S at  
> least. You
> may also wish to look into storm control and aggregate policers.  
> Lastly, if
> the DoS attack is coming from just a few IPs, I'd just null route  
> them.
>
> Chris
>
> On Dec 17, 2007 2:49 AM, Howard Leadmon <howard at leadmon.net> wrote:
>
>> Ack, that was a typo, your right, the subject line had it correct..
>>
>> The query was on a 720xVXR/NPE-G2 series router.  Will have to look  
>> at the
>> 12.2 stuff, I think when I got the router it came with 12.4, so I  
>> just
>> updated
>> to the most current rev before deploying it in the network.
>>
>> Talk about a bear getting rid of it, since trying to remove it from  
>> the
>> config
>> caused the crash, I had to write a replacement config without it to
>> startup,
>> and then reload.  Still it would be nice to have some working cpp  
>> on the
>> router.
>>
>>
>> ---
>> Howard Leadmon
>>
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>>> bounces at puck.nether.net] On Behalf Of Saku Ytti
>>> Sent: Sunday, December 16, 2007 3:56 AM
>>> To: cisco-nsp at puck.nether.net
>>> Subject: Re: [c-nsp] Control Plane Policing on 7206VXR/NPE-G2.. -  
>>> Arrgha
>>> crash..
>>>
>>> On (2007-12-15 09:26 -0500), Howard Leadmon wrote:
>>>
>>>> Has anyone used a cpp on the 7606/NPE-G2?  If so, did it work OK?
>> Heck
>>> and
>>>> if it worked, care to share what you have done, so maybe I can
>> implement
>>>> something that actually works and doesn't crash everything.  I  
>>>> guess
>> for
>>> now
>>>> I'll just run it without one..
>>>
>>> I run CoPP on many 760x's, if you ment 760x or NPE-G2. If you mean
>>> 7206VXR/NPE-G2, then answer is no. I can't run CoPP in any other
>> platform
>>> than PFC3x based platforms, as MPLS labels aren't popped before CoPP
>>> evaluation, meaning, with explicit-null, nothing can be protected
>>> with CoPP.
>>> Your case looks like software bug, no doubt. You might want to look
>>> at crashinfo, or at very least feed it to output intepreter and
>>> open TAC Case. You may also want to give 12.2(31)SB10 a go.
>>>
>>> --
>>>  ++ytti
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list