[c-nsp] sup720 protection on the 6500/7600
Saku Ytti
saku+cisco-nsp at ytti.fi
Sat Feb 17 13:44:28 EST 2007
On (2007-02-17 18:27 +0100), vince anton wrote:
> Im running a 7600 with SUP720-3BXL - 12.2(18)SXF7, and looking at options
> for protecting the box - hoping people out there that have been using these
> boxes in production for some time can share some experiences.
One thing I should have added about CoPP in PFC3 is that it really
is _all traffic visiting control-plane_, not just destined to control
plane. Consider you have exception ACL in uRPF, SLB, ACE with log
(even deny rule!) you need to allow them in CoPP rules (so
to allow ACE deny with log to log the drop, you must allow
it to be punted to MSFC for logging, kinda silly, as it's
inherently rate-limited always, so should be somehow
shortcutted from CoPP, but might be architecture limitation)
--
++ytti
More information about the cisco-nsp
mailing list