[c-nsp] Hardening LPTS

Mark Smith markrefresh12 at gmail.com
Fri Jun 4 10:19:50 EDT 2021


Hi

On Friday, June 4, 2021, Saku Ytti <saku at ytti.fi> wrote:
> Sorry, not really. LPTS is quite a blockbox and there is not much you
> can do to improve if you have actual control-plane issues after LPTS.

Thanks for comments. This is very valuable info. What are your thoughts
about:
flow udp default rate 0
flow tcp default rate 0

Are they safe to use? Cisco did not recommend them but I dont understand
why. And they failed to explain. Maybe because they dont understand
themselves either ;)

According to my tests without those configs e.g. unauthorized [1] ssh is
probably punted because router replies with tcp rst (actually multiple rst
packets). After tcp default 0 router does not send response which is better

[1] control-plane management-plane ... allow ssh peer


More information about the cisco-nsp mailing list