[c-nsp] IP RACL or CPP?
Rodney Dunn
rodunn at cisco.com
Tue Apr 26 18:18:27 EDT 2005
On Tue, Apr 26, 2005 at 03:12:14PM -0700, Kevin Graham wrote:
> On 4/26/05, Rodney Dunn <rodunn at cisco.com> wrote:
>
> > You put in rACL's to drop traffic you know is invalid
> > and you use CPP to do even more granular stuff for
> > the traffic that makes it through the rACL.
>
> Does Cisco endorse 'conform action drop' MQC matches as a security
> measure (assuming no, but are things (please) going this direction)?
I'm not sure I understand what you mean:
Router(config-pmap-c)#police 8000 conform-action ?
drop drop packet
> Its so much more incredibly flexible and as this case shows, they can
> often be used to get a superset of what's available via extended
> ACL's.
You can have a class be policed and that class be determined by
an extended ACL.
But if you are gonng do conform-action drop you might as well
just do:
Router#sh policy-map
Policy Map test
Class traffic
drop
and tell the box to drop any traffic that matches the class.
>
> Given that most all of the high-throughput platforms / line cards have
> QoS functionality in hardware, short of tcam/pxf/etc resource
> restraints it doesn't seem like there'd be much of a tradeoff.
>
> (A sequence-number ala route-maps in MQC would address one of the only
> CLI shortcomings for this)
You want the class-maps to have sequence numbers associated with them
so you don't have to rebuild the entire policy?
Rodney
More information about the cisco-nsp
mailing list