[c-nsp] function of access-list in switch?
Deric Kwok
deric.kwok2000 at gmail.com
Sat Feb 28 12:54:14 EST 2009
Hi Saku
Thank you for your information. Good to learn from you
One more question, I add one line access rule in cisco router (r700 CPU at
240MHz with with 252928K/9216K bytes of memory.)
the cpu graph raises from 70% to 80%.
ls the switch also having this problem?
Thank you
On Sat, Feb 28, 2009 at 3:11 AM, Saku Ytti
<saku+cisco-nsp at ytti.fi<saku%2Bcisco-nsp at ytti.fi>
> wrote:
> On (2009-02-27 07:15 -0500), Deric Kwok wrote:
>
> > Could you explain to me what is function of access-list in switch?
> >
> > It looks like to do prevent access to switch only?
> >
> > Am I right?
>
> No. You can in many CSCO switches use L3 access-lists in L2, althought
> typically only on inbound direction.
>
> Some usage cases:
> a) rudimentary anti-spoofing
> b) stopping infected machine from spreading infection, while allowing
> machine administration to reach it and fix it
> c) for server aggregation style, on uplink you could protect the
> servers, like only allow 0.0.0.0 80 to them and 22 from MGMT NET,
> providing wire-rate protection of DoS.
>
> As not just IP match is allowed, but also MAC and ethertype, you
> could allow only IPv4, IPv6 and ARP frames, to avoid unwanted
> traffic entering.
>
> --
> ++ytti
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list