[c-nsp] Shapping NTP traffic on 6500/7600

Thomas St-Pierre tstpierre at iweb.com
Wed Feb 26 20:01:14 EST 2014

On 2/26/2014, 7:48 PM, "Dobbins, Roland" <rdobbins at arbor.net> wrote:

>On Feb 27, 2014, at 6:41 AM, Thomas St-Pierre <tstpierre at iweb.com> wrote:
>>  Normal traffic shouldn¹t be affected,
>It will be crowded out during an attack.

I can live with this :) If ntp is down for a bit the servers will continue
living. Their clocks shouldn¹t drift that much between the time the DDOS
starts and when we¹ve null-routed the ip (using remotely triggered
null-routes for our upstreams as well :) )

>I don't know if you've the ability to match on packet size or not in
>hardware for QoS - if so, UDP/123 packets which *aren't* 76 bytes in
>length is a good classifier, as it leaves timesync ntp traffic alone and
>squelches everything else.

I admit I didn¹t check the 7600 platform, but the 6500 doesn¹t seem to
support it. I can create the config, but when I apply it to the interface
it says that the interface doesn¹t support matching on length :(


>Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>	  Luck is the residue of opportunity and design.
>		       -- John Milton
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list