Re: [nsp] effect of ACL on cisco 7500 routers

From: Joseph Pedano (pidge@pidge.net)
Date: Thu May 02 2002 - 00:11:55 EDT


Won't the 7500's run unicast-rpf??? Much easier than access lists.

At 01:15 AM 5/2/2002 +0200, Dmitri Kalintsev wrote:
>On Wed, May 01, 2002 at 01:27:04PM -0700, SMALL, LARS *Internet* (PBI) wrote:
> > Hello:
> >
> > recently I have been investigating the merits of a policy our company (an
> > ISP) has with regard to DoS attacks. Specifically, when our customers are
> > under attack, unless it is adversely effecting our network, we do not
> > intervene. Is there any merit to this Policy? What are the concerns (
> > besides the added administrative burden) over ACLs applied to a T1 p-t-p
> > customer interfaces (channelized DS3) or T1 frame-relay customer (point to
> > multipoint framed DS3) or ATM customers of various bandwidths riding ATM
> > 0C3?
>
>There are no real concerns that are obvious in your scenario. Make sure
>you're using "access-list compiled" feature (mind that if you have a lot of
>ACLs with discontinuous netmasks, like ones generated by RtConfig, you may
>run into the trouble if you're using 12.0(19)S or later - it's supposively
>fixed in 12.0(21)S2, but I still see some CPU hog tracebacks on the test box
>when ACLs are changed).
>
> > Also, I have heard of NetFlow and would like to know if anyone has had
> > success in using it with dCEF.
>
>Yes, Netflow does work with dCEF well (I speak for 12.0S train).
>
>SY,
>--
> CCNP, CCDP (R&S) Dmitri E. Kalintsev
> CDPlayer@irc Network Architect @ connect.com.au
> dek @ connect.com.au phone: +61 3 9674 3913 fax: 9251 3666
> http://-UNAVAIL- UIN:7150410 cell: +61 414 821 382



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:11:55 EDT