Cisco 7600-ES20-GE3CXL-RF - Ethernet Services 20G Line Card Switch Uživatelský manuál stáhnout pdf (Strana 78)

524

Caveats for Cisco IOS Release 12.2(33)SRD through 12.2(33)SRD8

OL-10394-05 Rev. R0

!--- Permit/deny all other Layer 3 and Layer 4 traffic in

!--- accordance with existing security policies and

!--- configurations. Permit all other traffic to transit the

!--- device.

access-list 150 permit ip any any

!--- Apply access-list to all interfaces (only one example

!--- shown)

interface fastEthernet 2/0

ip access-group 150 in

The white paper entitled “Protecting Your Core: Infrastructure Protection Access Control Lists”

presents guidelines and recommended deployment techniques for infrastructure protection access

lists and is available at the following link:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtm

* Control Plane Policing

Provided under Control Plane Policing there are two examples. The first aims at preventing the

injection of malicious traffic from untrusted sources, whilst the second looks at rate limiting NTP

traffic to the box.

- Filtering untrusted sources to the device.

Warning: Because the feature in this vulnerability utilizes UDP as a transport, it is possible to spoof

the sender’s IP address, which may defeat ACLs that permit communication to these ports from

trusted IP addresses. Unicast RPF should be considered to be used in conjunction to offer a better

mitigation solution.

Control Plane Policing (CoPP) can be used to block untrusted UDP traffic to the device. Cisco IOS

Software Releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP

can be configured on a device to help protect the management and control planes and minimize the

risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic

that is sent to infrastructure devices in accordance with existing security policies and configurations.

The CoPP example below should be included as part of the deployed CoPP, which will help protect

all devices with IP addresses in the infrastructure IP address range.

!--- Feature: Network Time Protocol (NTP)

access-list 150 deny udp TRUSTED_SOURCE_ADDRESSES WILDCARD

any eq 123

!--- Deny NTP traffic from all other sources destined

!--- to the device control plane.

access-list 150 permit udp any any eq 123

!--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and

1 2 ... 73 74 75 76 77 78 79 80 81 82 83 ... 397 398

Žádné komentáře

Cisco 7600-ES20-GE3CXL-RF - Ethernet Services 20G Line Card Switch Uživatelský manuál Strana 78