Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: foundry

Securing Xmr

 

 

nsp foundry RSS feed   Index | Next | Previous | View Threaded


bmannella at gmail

Nov 25, 2010, 1:48 PM

Post #1 of 6 (1088 views)
Permalink
Securing Xmr

We purchased a couple MLX-e (XMR) that act as border/core routers to be used in a hosting environment. I have googled and only came up with a doc from '03. I have done most of the basic stuff, but wondered if someone could point me to a newer doc or give me config examples.

I am looking for something similar to RE-Protect on Junos. Things like rate-limiting icmp headed towards the router itself and other best practices, aswell as basic DOS protection. No icmp redirects, etc.

Thanks in Advance

Brendan
_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp


nuno.vieira at nfsi

Nov 25, 2010, 2:13 PM

Post #2 of 6 (1044 views)
Permalink
Re: Securing Xmr [In reply to]

You have updated documentation on http://kp.foundrynet.com/

regards,
--nvieira

----- Original Message -----
> We purchased a couple MLX-e (XMR) that act as border/core routers to
> be used in a hosting environment. I have googled and only came up with
> a doc from '03. I have done most of the basic stuff, but wondered if
> someone could point me to a newer doc or give me config examples.
>
> I am looking for something similar to RE-Protect on Junos. Things like
> rate-limiting icmp headed towards the router itself and other best
> practices, aswell as basic DOS protection. No icmp redirects, etc.
>
> Thanks in Advance
>
> Brendan
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp [at] puck
> http://puck.nether.net/mailman/listinfo/foundry-nsp
_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp


bmannella at gmail

Nov 25, 2010, 2:20 PM

Post #3 of 6 (1029 views)
Permalink
Re: Securing Xmr [In reply to]

Are you talking about the standard config guide? Or something specific to security?

Brendan Mannella
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Mobile: 412.592.7848
Efax: 412.202.7094

On Nov 25, 2010, at 5:13 PM, Nuno Vieira - nfsi telecom <nuno.vieira [at] nfsi> wrote:

> regards,

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp


bmannella at gmail

Nov 25, 2010, 3:03 PM

Post #4 of 6 (1030 views)
Permalink
Re: Securing Xmr [In reply to]

Ok so I have found the

ip icmp burst-normal [value] burst-max [value] lockup [value]

ip tcp burst-normal [value] burst-max [value] lockup [value]

Can someone send me values that are acceptable in a production environment? It seems both commands above are only for connections directed at the device, so they really wouldn't effect transiting traffic. Am I correct?

Brendan Mannella


On Nov 25, 2010, at 5:13 PM, Nuno Vieira - nfsi telecom <nuno.vieira [at] nfsi> wrote:

> You have updated documentation on http://kp.foundrynet.com/
>
> regards,
> --nvieira
>
> ----- Original Message -----
>> We purchased a couple MLX-e (XMR) that act as border/core routers to
>> be used in a hosting environment. I have googled and only came up with
>> a doc from '03. I have done most of the basic stuff, but wondered if
>> someone could point me to a newer doc or give me config examples.
>>
>> I am looking for something similar to RE-Protect on Junos. Things like
>> rate-limiting icmp headed towards the router itself and other best
>> practices, aswell as basic DOS protection. No icmp redirects, etc.
>>
>> Thanks in Advance
>>
>> Brendan
>> _______________________________________________
>> foundry-nsp mailing list
>> foundry-nsp [at] puck
>> http://puck.nether.net/mailman/listinfo/foundry-nsp

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp


bdflemin at gmail

Nov 26, 2010, 6:47 PM

Post #5 of 6 (1027 views)
Permalink
Re: Securing Xmr [In reply to]

Another one to take a look toward is:
ip rate-limit arp policy-name <policy name>
You can find it on page 706 (of 2718) in the 5.1.00 Config Guide.

And if you're really concerned abut broadcast traffic, an L2 ACL on
ingress ports with rate-limiters can be very effective with little
effort.

On Nov 25, 2010, at 5:03 PM, Brendan Mannella wrote:

> Ok so I have found the
>
> ip icmp burst-normal [value] burst-max [value] lockup [value]
>
> ip tcp burst-normal [value] burst-max [value] lockup [value]
>
> Can someone send me values that are acceptable in a production
> environment? It seems both commands above are only for connections
> directed at the device, so they really wouldn't effect transiting
> traffic. Am I correct?
>
> Brendan Mannella
>
>
> On Nov 25, 2010, at 5:13 PM, Nuno Vieira - nfsi telecom <nuno.vieira [at] nfsi
> > wrote:
>
>> You have updated documentation on http://kp.foundrynet.com/
>>
>> regards,
>> --nvieira
>>
>> ----- Original Message -----
>>> We purchased a couple MLX-e (XMR) that act as border/core routers to
>>> be used in a hosting environment. I have googled and only came up
>>> with
>>> a doc from '03. I have done most of the basic stuff, but wondered if
>>> someone could point me to a newer doc or give me config examples.
>>>
>>> I am looking for something similar to RE-Protect on Junos. Things
>>> like
>>> rate-limiting icmp headed towards the router itself and other best
>>> practices, aswell as basic DOS protection. No icmp redirects, etc.
>>>
>>> Thanks in Advance
>>>
>>> Brendan
>>> _______________________________________________
>>> foundry-nsp mailing list
>>> foundry-nsp [at] puck
>>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp [at] puck
> http://puck.nether.net/mailman/listinfo/foundry-nsp

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp


dspataro at corp

Dec 1, 2010, 11:17 AM

Post #6 of 6 (993 views)
Permalink
Re: Securing Xmr [In reply to]

You should also use an IP Receive ACL. That way you can block unwanted IP traffic going to the router. You need to watch out because the Receive ACL can eat up all of your receive-cam.

The formula to figure out how much receive-cam the ACL will eat is

number of lines + explicit deny * number of IP interfaces = number of cam entries

So if you have 100 lines to your ACL and 40 IP interfaces you are then using 4000. The default is 1024 (XMR 4000). You can increase it but then you steal from the rule-ACL-cam.



Hope that helps,

Dan



-----Original Message-----
From: foundry-nsp-bounces [at] puck [mailto:foundry-nsp-bounces [at] puck] On Behalf Of Brendan Mannella
Sent: Thursday, November 25, 2010 4:49 PM
To: foundry-nsp [at] puck
Subject: [f-nsp] Securing Xmr

We purchased a couple MLX-e (XMR) that act as border/core routers to be used in a hosting environment. I have googled and only came up with a doc from '03. I have done most of the basic stuff, but wondered if someone could point me to a newer doc or give me config examples.

I am looking for something similar to RE-Protect on Junos. Things like rate-limiting icmp headed towards the router itself and other best practices, aswell as basic DOS protection. No icmp redirects, etc.

Thanks in Advance

Brendan
_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

nsp foundry RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.