On Wed, May 01, 2002 at 01:27:04PM -0700, SMALL, LARS *Internet* (PBI) wrote:
> Hello:
>
> recently I have been investigating the merits of a policy our company (an
> ISP) has with regard to DoS attacks. Specifically, when our customers are
> under attack, unless it is adversely effecting our network, we do not
> intervene. Is there any merit to this Policy? What are the concerns (
> besides the added administrative burden) over ACLs applied to a T1 p-t-p
> customer interfaces (channelized DS3) or T1 frame-relay customer (point to
> multipoint framed DS3) or ATM customers of various bandwidths riding ATM
> 0C3?
There are no real concerns that are obvious in your scenario. Make sure
you're using "access-list compiled" feature (mind that if you have a lot of
ACLs with discontinuous netmasks, like ones generated by RtConfig, you may
run into the trouble if you're using 12.0(19)S or later - it's supposively
fixed in 12.0(21)S2, but I still see some CPU hog tracebacks on the test box
when ACLs are changed).
> Also, I have heard of NetFlow and would like to know if anyone has had
> success in using it with dCEF.
Yes, Netflow does work with dCEF well (I speak for 12.0S train).
SY,
-- CCNP, CCDP (R&S) Dmitri E. Kalintsev CDPlayer@irc Network Architect @ connect.com.au dek @ connect.com.au phone: +61 3 9674 3913 fax: 9251 3666 http://-UNAVAIL- UIN:7150410 cell: +61 414 821 382
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:11:55 EDT