[c-nsp] Hardening LPTS
Mark Smith
markrefresh12 at gmail.com
Fri Jun 4 01:59:29 EDT 2021
Hi
Any comments on this? @Saku Ytti you probably have good opinions and inside
knowledge?
I cannot be the only one exploring this.
The main objective is to drop anything not explicitly permitted, i.e. set
udp and tcp default policers to zero. With Juniper its easy if you know
what you're doing
On Friday, May 28, 2021, Mark Smith <markrefresh12 at gmail.com> wrote:
> Hi list
>
> I'm trying to harden ASR9k box with LPTS. I have read lots of interesting
discussions on the list, e.g. this thread:
https://puck.nether.net/pipermail/cisco-nsp/2016-August/103532.html
>
> I have been testing following lpts configuration. It seems to work fine.
I know it's not necessarily following Cisco's best practices and
recommendations but I dont know exactly why.
>
> Has anybody used this kind of config with or without success? Which kind
of problems should I expect if any?
>
> lpts pifib hardware police
> flow fragment rate 0
> flow bgp default rate 0
> flow udp default rate 0
> flow tcp default rate 0
> flow multicast default rate 0
>
> I welcome all real-world hardened lpts configuration examples.
>
> Naturally I'm also implementing the iACL. But as I come from the world of
Juniper using very strict CoPP is attactive approach. Layered protection.
"Permit what you need and deny everything else".
>
> You never know when things like JSA11147 pop up.
>
More information about the cisco-nsp
mailing list