[c-nsp] ignore "ip tcp adjust-mss" packets in CoPP
"Rolf Hanßen"
nsp at rhanssen.de
Wed Feb 26 19:19:44 EST 2014
Hi,
I just saw that strict filtering with CoPP (only allow peers and some
management servers) breaks the "ip tcp adjust-mss" functionaliy.
The window size is manipulated to be able to redirect traffic via a tunnel
from a anti-ddos provider.
Is there a smart way to bypass CoPP for exactly those packets without
making 3/4 of the CoPP rules useless?
Adding a "permit tcp any any syn" or similar rule does not look like a
good option to me.
I think of something like "mls rate-limit unicast cef glean" for packets
needing ARP-action from the RP.
Hardware is a 6506 with Sup720-3B and 67xx cards.
kind regards
Rolf
More information about the cisco-nsp
mailing list