Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Cisco: NSP

Protecting MLX/XMR MP against attacks with IP Receive ACLs / extended ACL behaviour

  

 
Cisco nsp RSS feed   Index | Next | Previous | View Threaded


nsp at rhanssen

Apr 19, 2012, 6:24 AM

Post #1 of 2 (208 views)
Permalink
Protecting MLX/XMR MP against attacks with IP Receive ACLs / extended ACL behaviour
Hello,

this week we had an attack directly against one of our XMR (UDP packets to
a transfer network IP).
I was looking for an CoPP-equivalant and found the "IP Receive ACLs" feature.

In sample case of "I block all UDP and allow everthing else" I would use
that config here according to the manual:

access-list 101 remark BLOCK_UDP
access-list 101 deny udp any any

access-list 102 remark ALLOW_ANYTHING_ELSE
access-list 102 permit ip any any

ip receive access-list 101 sequence 5
ip receive access-list 102 sequence 10

Manual says that default policy is "deny ip any any" (applied after last
rule).
I am wondering what exactly is matched by "ip" because other protocols are
not mentioned.
Is "ip" an equivalent for "ipv4" or more some kind of "any" in an extended
access list ?
Does the above config work or do I need a standard access list like
"access-list 50 permit any" at the end ?

Does anybody maybe already have a "known to work"-config for 0815 usage
(BGP, OSPF, VRRP) ?

kind regards
Rolf

_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


nsp at rhanssen

Apr 19, 2012, 7:21 AM

Post #2 of 2 (200 views)
Permalink
Re: Protecting MLX/XMR MP against attacks with IP Receive ACLs / extended ACL behaviour [In reply to]
Sorry, wrong list, should go to foundry-nsp ;)

> Hello,
>
> this week we had an attack directly against one of our XMR (UDP packets to
> a transfer network IP).
> I was looking for an CoPP-equivalant and found the "IP Receive ACLs"
> feature.
>
> In sample case of "I block all UDP and allow everthing else" I would use
> that config here according to the manual:
>
> access-list 101 remark BLOCK_UDP
> access-list 101 deny udp any any
>
> access-list 102 remark ALLOW_ANYTHING_ELSE
> access-list 102 permit ip any any
>
> ip receive access-list 101 sequence 5
> ip receive access-list 102 sequence 10
>
> Manual says that default policy is "deny ip any any" (applied after last
> rule).
> I am wondering what exactly is matched by "ip" because other protocols are
> not mentioned.
> Is "ip" an equivalent for "ipv4" or more some kind of "any" in an extended
> access list ?
> Does the above config work or do I need a standard access list like
> "access-list 50 permit any" at the end ?
>
> Does anybody maybe already have a "known to work"-config for 0815 usage
> (BGP, OSPF, VRRP) ?
>
> kind regards
> Rolf
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


_______________________________________________
cisco-nsp mailing list cisco-nsp [at] puck
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Cisco nsp RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.