Cisco OL-4015-08 Manual de usuario descargar pdf (Pagina 130)

100

101

482

Cross-Platform Release Notes for Cisco IOS Release 12.0S

OL-1617-14 Rev. Q0

Caveats

Resolved Caveats—Cisco IOS Release 12.0(32)S15

!--- to infrastructure addresses.

access-list 150 deny udp any

INFRASTRUCTURE_ADDRESSES WILDCARD eq 123

!--- Permit/deny all other Layer 3 and Layer 4 traffic in

!--- accordance with existing security policies and

!--- configurations. Permit all other traffic to transit the

!--- device.

access-list 150 permit ip any any

!--- Apply access-list to all interfaces (only one example

!--- shown)

interface fastEthernet 2/0

ip access-group 150 in

The white paper entitled “Protecting Your Core: Infrastructure Protection Access Control Lists”

presents guidelines and recommended deployment techniques for infrastructure protection access

lists and is available at the following link:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtm

* Control Plane Policing

Provided under Control Plane Policing there are two examples. The first aims at preventing the

injection of malicious traffic from untrusted sources, whilst the second looks at rate limiting NTP

traffic to the box.

- Filtering untrusted sources to the device.

Warning: Because the feature in this vulnerability utilizes UDP as a transport, it is possible to spoof

the sender’s IP address, which may defeat ACLs that permit communication to these ports from

trusted IP addresses. Unicast RPF should be considered to be used in conjunction to offer a better

mitigation solution.

Control Plane Policing (CoPP) can be used to block untrusted UDP traffic to the device. Cisco IOS

Software Releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP

can be configured on a device to help protect the management and control planes and minimize the

risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic

that is sent to infrastructure devices in accordance with existing security policies and configurations.

The CoPP example below should be included as part of the deployed CoPP, which will help protect

all devices with IP addresses in the infrastructure IP address range.

!--- Feature: Network Time Protocol (NTP)

access-list 150 deny udp TRUSTED_SOURCE_ADDRESSES WILDCARD

any eq 123

!--- Deny NTP traffic from all other sources destined

1 2 ... 125 126 127 128 129 130 131 132 133 134 135 ... 677 678

Comentarios a estos manuales

Sin comentarios

Cisco OL-4015-08 Manual de usuario Pagina 130

Comentarios a estos manuales

Relacionado con productos y manuales para Redes Cisco OL-4015-08