On Thu, May 02, 2002 at 12:11:55AM -0400, Joseph Pedano wrote:
> Won't the 7500's run unicast-rpf??? Much easier than access lists.
Yes, *and* unicast rpf, too. ;) But I believe the question was mainly
concerned with ACLs, so was my answer. ;)
> At 01:15 AM 5/2/2002 +0200, Dmitri Kalintsev wrote:
> >On Wed, May 01, 2002 at 01:27:04PM -0700, SMALL, LARS *Internet* (PBI) wrote:
> > > Hello:
> > >
> > > recently I have been investigating the merits of a policy our company (an
> > > ISP) has with regard to DoS attacks. Specifically, when our customers are
> > > under attack, unless it is adversely effecting our network, we do not
> > > intervene. Is there any merit to this Policy? What are the concerns (
> > > besides the added administrative burden) over ACLs applied to a T1 p-t-p
> > > customer interfaces (channelized DS3) or T1 frame-relay customer (point to
> > > multipoint framed DS3) or ATM customers of various bandwidths riding ATM
> > > 0C3?
> >
> >There are no real concerns that are obvious in your scenario. Make sure
> >you're using "access-list compiled" feature (mind that if you have a lot of
> >ACLs with discontinuous netmasks, like ones generated by RtConfig, you may
> >run into the trouble if you're using 12.0(19)S or later - it's supposively
> >fixed in 12.0(21)S2, but I still see some CPU hog tracebacks on the test box
> >when ACLs are changed).
> >
> > > Also, I have heard of NetFlow and would like to know if anyone has had
> > > success in using it with dCEF.
> >
> >Yes, Netflow does work with dCEF well (I speak for 12.0S train).
---end quoted text---
SY,
-- CCNP, CCDP (R&S) Dmitri E. Kalintsev CDPlayer@irc Network Architect @ connect.com.au dek @ connect.com.au phone: +61 3 9674 3913 fax: 9251 3666 http://-UNAVAIL- UIN:7150410 cell: +61 414 821 382
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:11:55 EDT