[c-nsp] IP RACL or CPP?

Kevin Graham mahargk at gmail.com
Tue Apr 26 18:12:14 EDT 2005


On 4/26/05, Rodney Dunn <rodunn at cisco.com> wrote:

> You put in rACL's to drop traffic you know is invalid
> and you use CPP to do even more granular stuff for
> the traffic that makes it through the rACL.

Does Cisco endorse 'conform action drop' MQC matches as a security
measure (assuming no, but are things (please) going this direction)?
Its so much more incredibly flexible and as this case shows, they can
often be used to get a superset of what's available via extended
ACL's.

Given that most all of the high-throughput platforms / line cards have
QoS functionality in hardware, short of tcam/pxf/etc resource
restraints it doesn't seem like there'd be much of a tradeoff.

(A sequence-number ala route-maps in MQC would address one of the only
CLI shortcomings for this)



More information about the cisco-nsp mailing list