Re: [nsp] effect of ACL on cisco 7500 routers

From: Dmitri Kalintsev (dek@hades.uz)
Date: Wed May 01 2002 - 19:15:52 EDT


On Wed, May 01, 2002 at 01:27:04PM -0700, SMALL, LARS *Internet* (PBI) wrote:
> Hello:
>
> recently I have been investigating the merits of a policy our company (an
> ISP) has with regard to DoS attacks. Specifically, when our customers are
> under attack, unless it is adversely effecting our network, we do not
> intervene. Is there any merit to this Policy? What are the concerns (
> besides the added administrative burden) over ACLs applied to a T1 p-t-p
> customer interfaces (channelized DS3) or T1 frame-relay customer (point to
> multipoint framed DS3) or ATM customers of various bandwidths riding ATM
> 0C3?

There are no real concerns that are obvious in your scenario. Make sure
you're using "access-list compiled" feature (mind that if you have a lot of
ACLs with discontinuous netmasks, like ones generated by RtConfig, you may
run into the trouble if you're using 12.0(19)S or later - it's supposively
fixed in 12.0(21)S2, but I still see some CPU hog tracebacks on the test box
when ACLs are changed).

> Also, I have heard of NetFlow and would like to know if anyone has had
> success in using it with dCEF.

Yes, Netflow does work with dCEF well (I speak for 12.0S train).

SY,

-- 
 CCNP, CCDP (R&S)                          Dmitri E. Kalintsev
 CDPlayer@irc               Network Architect @ connect.com.au
 dek @ connect.com.au    phone: +61 3 9674 3913 fax: 9251 3666
 http://-UNAVAIL-         UIN:7150410    cell: +61 414 821 382



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:43 EDT