[c-nsp] Cisco 6500/Sup720 ARP CoPP

Nick Hilliard nick at inex.ie
Tue Feb 9 15:13:49 EST 2010


On 09/02/2010 19:37, Saku Ytti wrote:
> I think you've gathered relevant and correct data, I don't think PFC3
> supports ARP match in CoPP. So you must use MLS rate-limiter, where you
> have to remember that AFAIK this is also for transit ARP which you might be
> bridging as a switch.

so, this looks like an effective attack vector for trashing sup720 RPs then
- if you have l2 access to the device.  Makes a good argument for
implementing arp sponges on core paths and edges so that this cannot be
exploited remotely.

I assume that ipv6 nd is sufficiently high up the protocol stack that it
can be managed by copp?

Nick


More information about the cisco-nsp mailing list