[f-nsp] Securing Xmr

Dan Spataro dspataro at corp.nac.net
Wed Dec 1 14:17:46 EST 2010


You should also use an IP Receive ACL.  That way you can block unwanted IP traffic going to the router.  You need to watch out because the Receive ACL can eat up all of your receive-cam.  

The formula to figure out how much receive-cam the ACL will eat is 

number of lines + explicit deny * number of IP interfaces = number of cam entries

So if you have 100 lines to your ACL and 40 IP interfaces you are then using 4000.  The default is 1024 (XMR 4000).  You can increase it but then you steal from the rule-ACL-cam.



Hope that helps,

Dan



-----Original Message-----
From: foundry-nsp-bounces at puck.nether.net [mailto:foundry-nsp-bounces at puck.nether.net] On Behalf Of Brendan Mannella
Sent: Thursday, November 25, 2010 4:49 PM
To: foundry-nsp at puck.nether.net
Subject: [f-nsp] Securing Xmr

We purchased a couple MLX-e (XMR) that act as border/core routers to be used in a hosting environment. I have googled and only came up with a doc from '03. I have done most of the basic stuff, but wondered if someone could point me to a newer doc or give me config examples.

I am looking for something similar to RE-Protect on Junos. Things like rate-limiting icmp headed towards the router itself and other best practices, aswell as basic DOS protection. No icmp redirects, etc.

Thanks in Advance

Brendan
_______________________________________________
foundry-nsp mailing list
foundry-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp




More information about the foundry-nsp mailing list