Hi, --On Dienstag, November 06, 2007 11:33:20 -0600 Justin Shore <jus...@justinshore.com> wrote:
The book discusses how to harden HSRP, VLANs, VTP and trunk ports and how to prevent ARP attacks, STP attacks, etc. It has a good 802.1x section as well. It's got a good amount of useful info. I think CoPP will help you out. Identify the traffic that's causing the DoS right now and address it with CoPP. There are a lot of CoPP users on C-NSP. Then go back and harden the router later.
the original problem was as far as I remember "access switches with disabled or not working spanning-tree created l2-loop and flooded PE edge port". The sad truth is that even CoPP on PFC won't protect from HSRP or PIM multicast storm. Even a DHCP broadcast storm would kill the control-plane. The problem is that CoPP limits the rate to the listening processes like PIM, HSRP or DHCP-relay, but unfortunately a multicast/broadcast storm ends in a interrupt load of nearly 95% and issues OSPF, BGP and other flaps in core protocols. This is what i just figured out when someone created a l2-loop on a pair of access switches and the connected PEs (Sup720) werent reachable anymore in cause of 98% CPU load and OSPF, BFD and BGP went down although CoPP and some more mls h/w rate-limiter were configured. In lab i found out that "mls qos protocol hsrp police" will overcome this problem and curiously kept interrupt load down. For PIM i tried explicitely "mls rate-limit multicast ipv4 pim" with the same effect of protecting CPU from high interrupt load. CoPP with HSRP/PIM class and a policer of 32kbps didnt help from the high interrupt load and only kept PIM/HSRP process load down. Can anyone explain the interaction in this stuff and why CoPP can't protect from interrupts and mls h/w rate-limiter can. And why the hell isn't there more than just a PIM, HSRP and ARP h/w rate-limiter? Every directly connected device can kill PFC control-plane in sending multicast/broadcast traffic at a rate of about 100Mbps. And no storm-control is no alternative as storm-control would rate-limit multicast traffic entirely which is a no-go when using multicast as a application. cheers, christian _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/