[c-nsp] ignore "ip tcp adjust-mss" packets in CoPP

"Rolf Hanßen" nsp at rhanssen.de
Wed Feb 26 19:19:44 EST 2014


I just saw that strict filtering with CoPP (only allow peers and some
management servers) breaks the "ip tcp adjust-mss" functionaliy.
The window size is manipulated to be able to redirect traffic via a tunnel
from a anti-ddos provider.
Is there a smart way to bypass CoPP for exactly those packets without
making 3/4 of the CoPP rules useless?
Adding a "permit tcp any any syn" or similar rule does not look like a
good option to me.

I think of something like "mls rate-limit unicast cef glean" for packets
needing ARP-action from the RP.
Hardware is a 6506 with Sup720-3B and 67xx cards.

kind regards

More information about the cisco-nsp mailing list