[c-nsp] Control Plane Policing on 7206VXR/NPE-G2.. - Arrghacrash..

Arie Vayner (avayner) avayner at cisco.com
Mon Dec 17 15:23:57 EST 2007


Actually,

Doing CoPP on VXR can prove a good thing, as it may delay the effect of
DDoS attacks directed at the router.
It will not stop it completely as it is not done in HW, but it the
attack would be dropped much earlier in the forwarding path and would
require a much larger attack to bring the router down.

Arie 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Bedard
Sent: Monday, December 17, 2007 17:08 PM
To: Chris
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Control Plane Policing on 7206VXR/NPE-G2.. -
Arrghacrash..

Storm control and aggregate policers are 6500/7600-only mechanisms.   
To the original poster, it does sound like a CPP bug on the VXR, which I
guess wouldn't surprise me all that much.  Doing CPP on the VXR I would
guess is only marginally (if any) better than not doing it all,  
since it's not a distributed platform.  I could be wrong however.   I  
would try to identify the possible attack vectors and use policing/ ACLs
on the ingress interfaces to mitigate it, or put protections on  
the VXRs upstream neighbor, if possible.   Unfortunately if someone  
really wants to take down a VXR, it's not all that difficult to do so.

Phil


On Dec 17, 2007, at 7:38 AM, Chris wrote:

> Howard,
>
> I think you *can* do CoPP on a VXR but you'll need 12.2(18)S at  
> least. You
> may also wish to look into storm control and aggregate policers.  
> Lastly, if
> the DoS attack is coming from just a few IPs, I'd just null route  
> them.
>
> Chris
>
> On Dec 17, 2007 2:49 AM, Howard Leadmon <howard at leadmon.net> wrote:
>
>> Ack, that was a typo, your right, the subject line had it correct..
>>
>> The query was on a 720xVXR/NPE-G2 series router.  Will have to look  
>> at the
>> 12.2 stuff, I think when I got the router it came with 12.4, so I  
>> just
>> updated
>> to the most current rev before deploying it in the network.
>>
>> Talk about a bear getting rid of it, since trying to remove it from  
>> the
>> config
>> caused the crash, I had to write a replacement config without it to
>> startup,
>> and then reload.  Still it would be nice to have some working cpp  
>> on the
>> router.
>>
>>
>> ---
>> Howard Leadmon
>>
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>>> bounces at puck.nether.net] On Behalf Of Saku Ytti
>>> Sent: Sunday, December 16, 2007 3:56 AM
>>> To: cisco-nsp at puck.nether.net
>>> Subject: Re: [c-nsp] Control Plane Policing on 7206VXR/NPE-G2.. -  
>>> Arrgha
>>> crash..
>>>
>>> On (2007-12-15 09:26 -0500), Howard Leadmon wrote:
>>>
>>>> Has anyone used a cpp on the 7606/NPE-G2?  If so, did it work OK?
>> Heck
>>> and
>>>> if it worked, care to share what you have done, so maybe I can
>> implement
>>>> something that actually works and doesn't crash everything.  I  
>>>> guess
>> for
>>> now
>>>> I'll just run it without one..
>>>
>>> I run CoPP on many 760x's, if you ment 760x or NPE-G2. If you mean
>>> 7206VXR/NPE-G2, then answer is no. I can't run CoPP in any other
>> platform
>>> than PFC3x based platforms, as MPLS labels aren't popped before CoPP
>>> evaluation, meaning, with explicit-null, nothing can be protected
>>> with CoPP.
>>> Your case looks like software bug, no doubt. You might want to look
>>> at crashinfo, or at very least feed it to output intepreter and
>>> open TAC Case. You may also want to give 12.2(31)SB10 a go.
>>>
>>> --
>>>  ++ytti
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list