[c-nsp] Hardening LPTS
Mark Smith
markrefresh12 at gmail.com
Fri May 28 07:09:33 EDT 2021
Hi list
I'm trying to harden ASR9k box with LPTS. I have read lots of interesting
discussions on the list, e.g. this thread:
https://puck.nether.net/pipermail/cisco-nsp/2016-August/103532.html
I have been testing following lpts configuration. It seems to work fine. I
know it's not necessarily following Cisco's best practices and
recommendations but I dont know exactly why.
Has anybody used this kind of config with or without success? Which kind of
problems should I expect if any?
lpts pifib hardware police
flow fragment rate 0
flow bgp default rate 0
flow udp default rate 0
flow tcp default rate 0
flow multicast default rate 0
I welcome all real-world hardened lpts configuration examples.
Naturally I'm also implementing the iACL. But as I come from the world of
Juniper using very strict CoPP is attactive approach. Layered protection.
"Permit what you need and deny everything else".
You never know when things like JSA11147 pop up.
More information about the cisco-nsp
mailing list