The Cisco
7600 router is one of the most versatile High End routing machines. It is one
of enterprise's networking devices. If you take a look at Cisco website under
the Routers Product Category, you will notice that the Cisco 7600 can be used
in Data Centers, in Service Provider networks, in WAN aggregation or as
Internet Edge router. In Service Providers can be used as Provider Edge (PE) in
IP MPLS networks aggregating many Customer Edge (CE) router devices. Its
modularity and high port capacity allows the 7600 to work as both Layer2
aggregation and as Layer3 high performance router.
In Service
Provider networks one of the main concerns of network administrators is to
protect the networking infrastructure from Denial of Service attacks. These DoS
attacks are actually the most serious and popular security threat against
Service Providers. Botnets are frequently the main source of such attacks. ICMP
flooding, UDP flooding, spoofed addresses DoS, SYN attacks etc are a few
examples of DoS or DDos (Distributed Denial of Service) attacks. Fortunately
the Cisco 7600 router has many robust features and mechanisms to protect itself
from such attacks.
In the company
that I work (Service Provider) we have already implemented several security
protection features on 7600 which are really effective against DoS attacks. A
summary of the DoS protection mechanisms on 7600 follows below:
Security Access
Control Lists (ACL): Applied on interfaces to block traffic at Layer3/4 Rate Limiting: Using class-maps and
policy-maps you can apply rate limiting to specific type of traffic (e.g
ICMP)uRPF (unicast Reverse Path Forwarding): protects against spoofing
attacks.Traffic Storm Control: Protects against broadcast storm Intercept: Protects against SYN
attacks.Hardware-Based Rate Limiters: Work on PFC3 engines. These rate limiters
protect the MSFC routing engine from various packets that can overload its CPU
(configured with the mls rate-limit command)Control Plane Policing (CoPP):
Again used for protection of the MSFC routing engine by applying rate limiting
to packets that flow from the data plane to the control plane.
Of course in
addition to the above you must not forget other important security mechanisms
such as strong password policy, proper Authentication and Accounting, logging,
SNMP security, Routing Protocols security (MD5 authentication in OSPF, BGP etc)
etc. All of these technical issues must be based on a thorough and carefully
written security policy.
Tips: If you
need to know more about Cisco 7600 series, such as key features, specs, related
software and price, or wanna buy Cisco 7600 router, you can visit to see more news and info of Cisco network
equipment. Also, Cisco blog at share all
kinds of news and info related to Cisco, computer and technology, hardware,
networking, CISCO network equipment, cloud computing, etc. with all the Cisco
fans and networking lovers...
No comments:
Post a Comment