[prev in list] [next in list] [prev in thread] [next in thread]
List: cisco-nsp
Subject: Re: [c-nsp] control plane policing feature
From: Saku Ytti <saku+cisco-nsp () ytti ! fi>
Date: 2005-12-25 13:23:47
Message-ID: 20051225132347.GA16614 () ytti ! fi
[Download RAW message or body]
On (2005-12-25 12:43 +0100), Gert Doering wrote:
> Can you do it the other way round, like "police ip any any" first, and
> then leave all non-IP things in the "match-default" class, with high
> enough bps values?
Yup, but then the connected customer can DoS you with CLNS packets (I'm
assuming IOS accepts those even if CLNS is not configured, TAC agreed
with this assumptiation). Dunno which is greater risk, run unsupported
but working (in VXR at least) configuration or leave this attack-vector
open.
> (Merry christmas, by the way. However politically incorrect it might be)
:>
--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic