[c-nsp] Hardening LPTS
Mark Smith
markrefresh12 at gmail.com
Fri Jun 4 10:19:50 EDT 2021
Hi
On Friday, June 4, 2021, Saku Ytti <saku at ytti.fi> wrote:
> Sorry, not really. LPTS is quite a blockbox and there is not much you
> can do to improve if you have actual control-plane issues after LPTS.
Thanks for comments. This is very valuable info. What are your thoughts
about:
flow udp default rate 0
flow tcp default rate 0
Are they safe to use? Cisco did not recommend them but I dont understand
why. And they failed to explain. Maybe because they dont understand
themselves either ;)
According to my tests without those configs e.g. unauthorized [1] ssh is
probably punted because router replies with tcp rst (actually multiple rst
packets). After tcp default 0 router does not send response which is better
[1] control-plane management-plane ... allow ssh peer
More information about the cisco-nsp
mailing list