Other Security Features
IPv4 CSM filters drop or accept incoming packets based on the following match criteria:
IPv6 CSM filters drop or accept incoming packets based on the following match criteria:
To avoid DoS-like attacks overwhelming the control plane while ensuring that critical control
traffic such as signaling is always serviced in a timely manner, the 7705 SAR has three queues
(High, Low, and Ftp) for handling packets addressed to the CSM:
These queues are fixed use (each queue handles a certain type of traffic, which is not
user-configurable) and fixed configuration (each queue is configured for particular rates and
buffering capacity and is not user-configurable).
34
•
DSCP name
•
destination IP address
•
destination port
•
fragmentation
•
ICMP code
•
ICMP type
•
IP option value
•
multiple options
•
option present
•
source IP address
•
source port
•
TCP ACK
•
TCP SYN
•
DSCP name
•
destination IP address
•
destination port
•
ICMP code
•
ICMP type
•
source IP address
•
source port
•
TCP ACK
•
TCP SYN
•
High – handles all important messaging, such as network management and signaling
links
•
Low – handles lower-importance messages, such as pings
•
Ftp – handles bulk file transfers, such as new software image downloads
7705 SAR OS System Management Guide