Hi Any comments on this? @Saku Ytti you probably have good opinions and inside knowledge?
I cannot be the only one exploring this. The main objective is to drop anything not explicitly permitted, i.e. set udp and tcp default policers to zero. With Juniper its easy if you know what you're doing On Friday, May 28, 2021, Mark Smith <[email protected]> wrote: > Hi list > > I'm trying to harden ASR9k box with LPTS. I have read lots of interesting discussions on the list, e.g. this thread: https://puck.nether.net/pipermail/cisco-nsp/2016-August/103532.html > > I have been testing following lpts configuration. It seems to work fine. I know it's not necessarily following Cisco's best practices and recommendations but I dont know exactly why. > > Has anybody used this kind of config with or without success? Which kind of problems should I expect if any? > > lpts pifib hardware police > flow fragment rate 0 > flow bgp default rate 0 > flow udp default rate 0 > flow tcp default rate 0 > flow multicast default rate 0 > > I welcome all real-world hardened lpts configuration examples. > > Naturally I'm also implementing the iACL. But as I come from the world of Juniper using very strict CoPP is attactive approach. Layered protection. "Permit what you need and deny everything else". > > You never know when things like JSA11147 pop up. > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
