Re: [c-nsp] ISIS and CoPP on 760X

Fri, 19 Sep 2008 07:52:29 -0700 

Hi,
My understanding is that you have to use class-default to match IS-IS and a bunch of other things. The Press book "Router Security 


In terms of security, I prefer to have a strict policy so that in 
class-default section, I'd rather drop everything that "I'm not aware of".




Strategies" has a good amount of info on CoPP, complete with sample config.

I'll try to have a quick look.


The cornerstone for me is to identify if "match protocol 
clns|clns_is|clns_es" is available and can be applied on 760X using 
122-33SRC1 so that I can match ISIS pack in my "IGP class" and finally 
drop/apply low rate to everything in "class-default"


Thanks anyway for your pointer.
Bgrds/Frederic



Justin

Frederic LOUI wrote:


Hi all,

We're currently using Receive-ACL(s) in order to protect as much as
possible, ingress traffic coming to any router's interface. Actually,
this is possible on 12K IOS 12.0(32)S8.

As far as I can see in CCO documentation, there is no equivalent to
receive-acl for 760X... In terms of "Control Plane Protection", it
seems that CoPP is the way to go ...

In all kind of documentation it is easy to match ospf packet type
through ACL or the "match protocol ospf" statement. However, I'm
wondering how to match ISIS packet. (rACL do not filter ISIS packet)

There are several available commands under class-map statement:
"match protocol clns"
"match protocol clns_is"
"match protocol clns_es"

But because of various reasons I can't test these commands.
(I don't have a 760x test box yet ... ;-) )

Anyone had any experience with CoPP and ISIS on 760x box ? (Target IOS
is 122-33.SRC1)

I've seen in the forum's archive that this issue has already
discussed, but the conclusion is a bit outdated. (Maybe the platform
has considerably evolved ?? Apology if the question is obvious...) on

Anyway,
Thanks all in advance for your help,

Bgrds/Frederic


------------------------------------------------------------------------

_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/





















					Reply via email to