[c-nsp] Cisco 6500/Sup720 ARP CoPP

Phil Mayers p.mayers at imperial.ac.uk
Wed Feb 10 04:17:59 EST 2010


On 02/09/2010 08:13 PM, Nick Hilliard wrote:
> On 09/02/2010 19:37, Saku Ytti wrote:
>> I think you've gathered relevant and correct data, I don't think PFC3
>> supports ARP match in CoPP. So you must use MLS rate-limiter, where you
>> have to remember that AFAIK this is also for transit ARP which you might be
>> bridging as a switch.
>
> so, this looks like an effective attack vector for trashing sup720 RPs then
> - if you have l2 access to the device.  Makes a good argument for
> implementing arp sponges on core paths and edges so that this cannot be
> exploited remotely.

Correct.

>
> I assume that ipv6 nd is sufficiently high up the protocol stack that it
> can be managed by copp?

Off the top of my head I think CoPP is run in software for ipv6 traffic.


More information about the cisco-nsp mailing list