[f-nsp] route processor/control plane protection recommendations

Mike Leber mleber at he.net
Fri Jul 20 03:51:52 EDT 2007


I'm wondering if anybody has any control plane protection recommendations
for the Foundy XMR.

There are supposedly wirespeed ACLs that can be used to protect the route
processor, how might one go about configuring this?

Cisco implements this in hardware on the PRPs for the GSRs.  It would be
nice if there was a stock example "How To" document for Foundry which
covered this for the XMRs.

Example typical desires are:

* rate limit ICMP to the RP (assuming thats where pings to
physical/vlan/loopback interfaces end up).

* limit ssh, telnet, etc to specific IPs or prefixes at layer 3 (hardware
ACLs), not at the application layer (in the route processor, meaning you
already lost the battle).

Of course you can put an application layer ACL on telnet and SNMP, as well
as limit ssh by IP, however these appear to be at the application layer
and not wirespeed.  This would be indicated by the various application
layer "access rejected" type messages in the logs (and therefore not
something happening in hardware).

Mike.

+----------------- H U R R I C A N E - E L E C T R I C -----------------+
| Mike Leber           Direct Internet Connections   Voice 510 580 4100 |
| Hurricane Electric     Web Hosting  Colocation       Fax 510 580 4151 |
| mleber at he.net                                       http://www.he.net |
+-----------------------------------------------------------------------+




More information about the foundry-nsp mailing list