Doing some deep dive testing into LPTS for ddos/security/exploit reasons and came across what I consider some shortcomings. Love to hear other people's opinions/test results!
I'm not sure if I'm missing something or this is the way it is intended.
For one, the OSPF-known unicast lpts policer gets applied to interfaces where OSPF is enabled, however it allows ALL OSPF unicast packets and it doesn't (like i think it should) add an entry per unicast neighbor once it gets the multicast hello. This opens up a vector for ddos. I spoofed ospf unicast packets across the network (from a few devices away) and i can easily overwhelm this policer. Some OSPF sessions p2p use unicast and will fail to come up if the packets aren't allowed.
The lpts on asr9k doesn't seem to do dynamic flows (like NCS). I think there's a lot of work that needs to be done in this area.
The main 'problem' I have here is that LPTS doesn't allow you to implement your own CoPP. Since it doesn't allow us to implement our own filters, the automatic ones need to be more robust. Not just OSPF but some of the others as well.. The BGP ones are done decently and I'm still doing tests on those to see if it actually does per-flow policing (in other words once a bgp session is established it goes into its own policer like a microflow/ubrl type scenario).
I'll be testing each one individually but this will take some time.
I'd be curious to see anyone else's lpts configuration and iACLs that may have a workaround for some of this to protect the control plane more fully.
Listen: https://smarturl.it/CCRS8E39 Follow us: twitter.com/CiscoChampion5G and Wi-Fi 6, the next generation of mobile wireless technologies are here! But what does that mean? Where and how is 5G being deployed? What is Wi-Fi 6? Who’s on first? ...
loadbalancing is one of the more complex items in hardware forwarding. of course we have talked about it many years on cisco live (id 2904) with ever incrementing more detail. and there is the support forum article on loadbalancing.
IntroductionArchitecture Building BlocksIOS-XR RoutersConfigurationPerformance VerificationOptimizationStrict timerSome more verificationThe CollectorInfluxDBDatabase statistics and HealthClosing comments
This document was written in collaboration with:
IOS-XR MPLS TE Auto Tunnel Backup Bandwidth Protection Current Implementation of MPLS TE Auto Tunnel BackupPotential issue with current implementation of MPLS TE auto tunnel backupEnhancement to MPLS TE auto backup in IOS XR 7.5.1Supported HardwareConfig ...
we are trying to monitor the Cisco 9148s SFP status, and have get the Sensor's dBm value from the CISCO-ENTITY-SENSOR-MIB table, meanwile , it has an Index value like "30000xxxx",such as "30001773", entsensorValueTable but we can't sure how to l...