[f-nsp] XMR CoPP or equivalent?

Abello, Vinny Vinny_Abello at dell.com
Thu Sep 9 19:24:48 EDT 2010


I have my answer after contacting Brocade and will post it here for the benefit of anyone else seeking the same answer. What I was looking for was rACLs although there are a few other features as specified below. This was the response from Brocade:

Here are some of the security features that can be used to protect CPU. This is in addition to the access policies and rate limiting of traffic.

Please note that each of these functions has benefits and restrictions. Hence please go through the documentation prior implementing any of these.

IP Receive ACLs
The IP receive access-control list feature (rACL) provides hardware-based filtering capability for IPv4 traffic
destined for the CPU in the default VRF such as management traffic. Its purpose is to protect the management
module's CPU from overloading due to large amounts of traffic sent to one of the NetIron router's IP interfaces.
Using the rACL command, the specified ACL is applied to every interface on the NetIron router. This eliminates the
need to add an ACL to each interface on a NetIron router.

Transparent VLAN Flooding
You can configure your NetIron router for transparent VLAN flooding. This feature allows packets to be forwarded
without any form of CPU intervention including MAC learning and MAC destination lookups

VLAN CPU Protection
VLAN CPU protection is recommended for the VLANs which are intended for pure Layer2 use. This feature will
protect the CPU from the flooding of unknown-unicast/multicast/broadcast L2 packets on that VLAN.

Protecting Against Denial of Service Attacks
Denial of Smurf/TCP SYN/Reset attacks are explained here.

All these features are explained in the documentation gude and can be downloaded using the following link

http://kp.foundrynet.com/Portal/software/default.asp?ACT=DIR&NAME=NetIronXMR-MLX.700\05000.700\05000.700\Manuals.700

On Sep 7, 2010, at 12:00 PM, Abello, Vinny wrote:

Hi all,

I have been trying to locate any documentation for something equivalent to Cisco’s CoPP (control-plane policing) for the Foundry/Brocade NetIron XMR and haven’t had much success. Does such a feature even exist or is it even needed on this platform? I can’t imagine the control-plane is completely immune to attack out of the box. Any pointers to documentation or what the feature or features are called?

Thanks!

-Vinny
_______________________________________________
foundry-nsp mailing list
foundry-nsp at puck.nether.net<mailto:foundry-nsp at puck.nether.net>
http://puck.nether.net/mailman/listinfo/foundry-nsp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20100909/9e6c7ce5/attachment.html>


More information about the foundry-nsp mailing list