[f-nsp] Protecting MLX/XMR MP against attacks with IP Receive ACLs / extended ACL behaviour
"Rolf Hanßen"
nsp at rhanssen.de
Thu Apr 19 10:23:03 EDT 2012
Hello,
this week we had an attack directly against one of our XMR (UDP packets to
a transfer network IP).
I was looking for an CoPP-equivalant and found the "IP Receive ACLs" feature.
In sample case of "I block all UDP and allow everthing else" I would use
that config here according to the manual:
access-list 101 remark BLOCK_UDP
access-list 101 deny udp any any
access-list 102 remark ALLOW_ANYTHING_ELSE
access-list 102 permit ip any any
ip receive access-list 101 sequence 5
ip receive access-list 102 sequence 10
Manual says that default policy is "deny ip any any" (applied after last
rule).
I am wondering what exactly is matched by "ip" because other protocols are
not mentioned.
Is "ip" an equivalent for "ipv4" or more some kind of "any" in an extended
access list ?
Does the above config work or do I need a standard access list like
"access-list 50 permit any" at the end ?
Does anybody maybe already have a "known to work"-config for 0815 usage
(BGP, OSPF, VRRP) ?
kind regards
Rolf
More information about the foundry-nsp
mailing list