[c-nsp] Control-Plane Filters/ACLs
Phil Mayers
p.mayers at imperial.ac.uk
Fri Dec 3 12:18:03 EST 2010
On 03/12/10 16:30, Bill Blackford wrote:
> Hello C-NSP members. I am looking for some good examples of
> "router-protect" ACLs or FW filters. On my "J" gear, I have several
> firewall filters designed to protect the control-plane that simply
> get applied to the loopback. Now only certain hosts/networks can make
> SSH, FTP, TCP179, etc., connections "to" the routers.
Which platform?
>
> Are there some templates or examples I can find? I haven't played
> much with CoPP and don't hear a lot of accolades for doing this. The
> other obvious question would be "does this run in hardware or in
> software?". Hmm, doubt if the packet ASICs are processing ACL's.
Provided QoS is globally enabled with "mls qos", CoPP is done in
hardware[1] on 6500/sup720, by adding QoS policy-maps into the PFC/DFC
qos path.
[1] Well mostly in hardware - some types of traffic are filtered in
software because of the way they're punted to CPU, but "normal" unicast
IPv4 traffic is rate-limited in hardware per-PFC/DFC then the aggregates
are limited again in software.
More information about the cisco-nsp
mailing list