[c-nsp] IP RACL or CPP?
Rodney Dunn
rodunn at cisco.com
Wed Apr 27 11:07:02 EDT 2005
On Tue, Apr 26, 2005 at 04:13:16PM -0700, Kevin Graham wrote:
> On 4/26/05, Rodney Dunn <rodunn at cisco.com> wrote:
> >
> > But if you are gonng do conform-action drop you might as well
> > just do:
> >
> > Router#sh policy-map
> > Policy Map test
> > Class traffic
> > drop
> >
> > and tell the box to drop any traffic that matches the class.
>
> Sorry, this was what I meant. Question is whether Cisco endorses this
> (from a security standpoint) as equivalent to an ingress/egress
> access-group.
Well technically it's not the same. Is it more or less secure?
I'm not sure it's possible to answer it yes or no.
What I can tell you is that with an inbound ACL on an interface
packets that are denied are dropped sooner. So to some they may
consider that more secure because the packet doesn't get as "deep"
in the box as a packet that is taken in and sent through the
switching vector to the point where it would be punted to the RP.
Before we punt it to the RP we run it through the CPP policy and
drop there. So at the applications never see it but a packet that
gets dropped via CPP does pass through more code than one that is
dropped by an iACL.
> Obviously at face-value there's different priorities at
> work (ie. from a QoS perspective, leaking packets that should've
> otherwise been dropped would be incorrect but still acceptable).
>
> > > (A sequence-number ala route-maps in MQC would address one of the only
> > > CLI shortcomings for this)
> >
> > You want the class-maps to have sequence numbers associated with them
> > so you don't have to rebuild the entire policy?
>
> Exactly -- 'class seq 5 WORD' under a policy-map or something
> functionally equivlanet.
Let me check on that.
More information about the cisco-nsp
mailing list