i have a few questions regarding DoS attacks and CoPP.
1. i have gone through the cisco control plane policing guide and there seem to be no hard and fast rules for deploying it. is there a one-conf-fits-all kinda solution to this? which ensures that the resources on any router are always available for legitimate traffic passing through the router as well as telnet/ssh traffic. for example if i have a 3600 series router handling 15Mb/s of traffic (and its get stuck in case of a DoS attack) and i want to make sure that the telnet session is always responsive and the router never gets stuck and there are enough resources available on it to ensure that normal traffic is always routed....is there a CoPP policy which can ensure that?
2.during troubleshooting high cpu utilization, i've observed that the "show processes cpu" command shows that the 5sec utilization is 55% but the list of processes doesnt show any single process over 0.40%. how to interpret the output of this command to find out the process taking most of the CPU time? heres an example:
router#show proc cpu
CPU utilization for five seconds: 36%/30%; one minute: 34%; five minutes: 37%
router#show proc cpu | exc 0.0
5Sec 1Min 5Min TTY Process
0.31% 0.13% 0.12% 0 Net Background
0.71% 0.78% 1.47% 0 IP Input
1.19% 0.66% 0.52% 0 IP SNMP
0.55% 0.20% 0.16% 0 PDU DISPATCHER
2.07% 1.39% 1.17% 0 SNMP ENGINE
0.47% 0.14% 0.22% 0 SAA Event Proces
now this output doesn't say much for the 35% cpu utilization shown above. so how to interpret this output.
3.can anyone point out some best practices to protect router's resources against DoS attacks?
thank you medan, the info is very helpful. one more question....is it possible to prioritize telnet traffic to the cpu in a router? i know we can police the traffic, but is it possible to prioritize it?
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...