04-13-2011 01:53 PM - edited 03-01-2019 09:53 AM
Does UCS have any configurable Control-Plane-Policing
COPP or any othe DOS features for the UCS6100 Control-Plane.
Thx
Hubert
Solved! Go to Solution.
04-14-2011 12:06 AM
Yes, a policer is always in place.
Knowing that server ports only connect to servers helps too as we know what all control traffic is expected.
Yes, all mgmt traffic goes through mgmt port (physical wire i.e) but ip might differ as kvm ip's are natted through that interface.
Not tough to create acl rules given the udp/tcp port numbers.
--Manish
04-13-2011 11:06 PM
Hubert
CoPP functionality is enabled by default but is not yet configurable/viewable.
Packets going to the SUP from the 10 GB ports are ACL protected and also rate limited.
--Manish
04-13-2011 11:14 PM
Hi Manish, is there a document where this is described , maybe with the
values for the limits?
If I understand correctly the is a default CoPP built in. does this alsi work for the Mgmt-Interface, for the case
the Mgmt IP ia attacked ?
Thx
Hubert
04-13-2011 11:30 PM
Hubert
Unfortunately we do not have a public document on the default CoPP functionality.
The CoPP is in place for traffic form 10 GB ports to the SUP only.
In EHM of operation, we do not process BPDU's etc and have very set rules for traffic handling to name a few.
For the external 1 gig mgmt port, you will need to protect it via a firewall or acls.
We do have a list of ports which are opened to come up with the firewall or acl config.
Hope it helps and apologize for the non availability of an external doc on this.
--Manish
04-13-2011 11:55 PM
Hi Manish,
-In EndHostMode its clear there should not come any Packets to the CPU ?
-In Switching Mode there are BPDUs ect rate-limited ?
Anyway because all Mgmt is running over the OOB-Mgmt-Port this should be the only Interface which could be attacked by Broadcasts, SYN ect., correct.
If an attacker can bring down the Management ist the Switch/Interconnect still forwarding traffic? Should be , because OOB-Management should be seperated from the Switch Control-Plane ?
Any comments on this ?
Thx
Hubert
04-14-2011 12:06 AM
Yes, a policer is always in place.
Knowing that server ports only connect to servers helps too as we know what all control traffic is expected.
Yes, all mgmt traffic goes through mgmt port (physical wire i.e) but ip might differ as kvm ip's are natted through that interface.
Not tough to create acl rules given the udp/tcp port numbers.
--Manish
04-14-2011 12:29 AM
Thx a lot
Hubert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide