Cisco 7600-ES20-GE3CXL-RF - Ethernet Services 20G Line Card Switch Manual de usuario descargar pdf (Pagina 79)

525

Caveats for Cisco IOS Release 12.2(33)SRD through 12.2(33)SRD8

OL-10394-05 Rev. R0

!--- Layer4 traffic in accordance with existing security policies

!--- and configurations for traffic that is authorized to be sent

!--- to infrastructure devices

!--- Create a Class-Map for traffic to be policed by

!--- the CoPP feature

class-map match-all drop-udp-class

match access-group 150

!--- Create a Policy-Map that will be applied to the

!--- Control-Plane of the device.

policy-map drop-udp-traffic

class drop-udp-class

drop

!--- Apply the Policy-Map to the

!--- Control-Plane of the device

control-plane

service-policy input drop-udp-traffic

In the above CoPP example, the access control list entries (ACEs) that match the potential exploit

packets with the “permit” action result in these packets being discarded by the policy-map “drop”

function, while packets that match the “deny” action (not shown) are not affected by the policy-map

drop function.

- Rate Limiting the traffic to the device The CoPP example below could be included as part of the

deployed CoPP, which will help protect targeted devices from processing large amounts of NTP

traffic.

Warning: If the rate-limits are exceeded valid NTP traffic may also be dropped.

!--- Feature: Network Time Protocol (NTP)

access-list 150 permit udp any any eq 123

!--- Create a Class-Map for traffic to be policed by

!--- the CoPP feature

class-map match-all rate-udp-class

match access-group 150

!--- Create a Policy-Map that will be applied to the

!--- Control-Plane of the device.

!--- NOTE: See section "4. Tuning the CoPP Policy" of

!--- http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html#5

!--- for more information on choosing the most

1 2 ... 74 75 76 77 78 79 80 81 82 83 84 ... 397 398

Sin comentarios

Cisco 7600-ES20-GE3CXL-RF - Ethernet Services 20G Line Card Switch Manual de usuario Pagina 79