Cisco 7600-ES20-GE3CXL-RF - Ethernet Services 20G Line Card Switch Manual de usuario descargar pdf (Pagina 51)

497

Caveats for Cisco IOS Release 12.2(33)SRD through 12.2(33)SRD8

OL-10394-05 Rev. R0

* Using Infrastructure ACLs at Network Boundary

Although it is often difficult to block traffic transiting your network, it is possible to identify traffic

that should never be allowed to target your infrastructure devices and block that traffic at the border

of your network. iACLs are a network security best practice and should be considered as a long-term

addition to good network security as well as a workaround for this specific vulnerability. The iACL

example shown below should be included as part of the deployed infrastructure access-list that will

protect all devices with IP addresses in the infrastructure IP address range. If FST is not used,

protocol 91 may be completely filtered. Additionally, if UDP is disabled with the dlsw udp-disable

command, UDP port 2067 may also be completely filtered.

!--- Permit DLSw (UDP port 2067 and IP protocol 91) packets

!--- from trusted hosts destined to infrastructure addresses.

access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES

MASK eq 2067

access-list 150 permit 91 TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES

MASK

!--- Deny DLSw (UDP port 2067 and IP protocol 91) packets from

!--- all other sources destined to infrastructure addresses.

access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 2067

access-list 150 deny 91 any INFRASTRUCTURE_ADDRESSES MASK

!--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance

!--- with existing security policies and configurations.

!--- Permit all other traffic to transit the device.

access-list 150 permit ip any any

interface serial 2/0

ip access-group 150 in

The white paper entitled “Protecting Your Core: Infrastructure Protection Access Control Lists”

presents guidelines and recommended deployment techniques for infrastructure protection access

lists. This white paper can be obtained at the following link:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080

1a1a55.shtml

Further Problem Description: This vulnerability occurs on multiple events to be exploited. It is

medium complexity in order to exploit and has never been seen in customers environment.

• CSCsz72138

Symptoms: A POS interface on a PA-POS-2OC3 may experience a stuck issue. All packets will be

dropped after hitting the stuck scenario:

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops:

72048413<<<<<<<<<<<<<<<<<<<<all packets are getting dropped

Queueing strategy: Class-based queueing

Output queue: 197/1000/0 (size/max total/drops)<<<<<<<<<<<output queue

remains stuck at 197

1 2 ... 46 47 48 49 50 51 52 53 54 55 56 ... 397 398

Comentarios a estos manuales

Sin comentarios

Cisco 7600-ES20-GE3CXL-RF - Ethernet Services 20G Line Card Switch Manual de usuario Pagina 51

Comentarios a estos manuales

Relacionado con productos y manuales para Redes Cisco 7600-ES20-GE3CXL-RF - Ethernet Services 20G Line Card Switch