[c-nsp] All multicast punting to CPU on 6500
Dobbins, Roland
rdobbins at arbor.net
Mon Dec 17 10:00:41 EST 2012
On Dec 17, 2012, at 5:58 PM, Robert Williams wrote:
> The 'attack' traffic entered via the Non-Cisco router, from the internet. Was delivered to the LAN switch while the NLB was unreachable. Thus the switch flooded to all ports, which included the 6500.
NLB is a bag of hurt, IMHO.
What DDoS mitigation mechanisms have you deployed? S/RTBH is a very useful basic capability which can leverage your existing network infrastructure.
Configuring proper iACLs and policy-enforcement ACLs/VACLs/PACLs as noted previously in order to express the situationally-approriate access policies is also recommended.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Luck is the residue of opportunity and design.
-- John Milton
More information about the cisco-nsp
mailing list