[c-nsp] IP RACL or CPP?
Kevin Graham
mahargk at gmail.com
Tue Apr 26 19:13:16 EDT 2005
On 4/26/05, Rodney Dunn <rodunn at cisco.com> wrote:
>
> But if you are gonng do conform-action drop you might as well
> just do:
>
> Router#sh policy-map
> Policy Map test
> Class traffic
> drop
>
> and tell the box to drop any traffic that matches the class.
Sorry, this was what I meant. Question is whether Cisco endorses this
(from a security standpoint) as equivalent to an ingress/egress
access-group. Obviously at face-value there's different priorities at
work (ie. from a QoS perspective, leaking packets that should've
otherwise been dropped would be incorrect but still acceptable).
> > (A sequence-number ala route-maps in MQC would address one of the only
> > CLI shortcomings for this)
>
> You want the class-maps to have sequence numbers associated with them
> so you don't have to rebuild the entire policy?
Exactly -- 'class seq 5 WORD' under a policy-map or something
functionally equivlanet.
More information about the cisco-nsp
mailing list