[c-nsp] Control-Plane Filters/ACLs

Bill Blackford BBlackford at nwresd.k12.or.us
Fri Dec 3 12:51:25 EST 2010


ASR1002 and a few fixed switches pretending they're routers. Mostly the ASRs.

-b

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers
Sent: Friday, December 03, 2010 9:18 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Control-Plane Filters/ACLs

On 03/12/10 16:30, Bill Blackford wrote:
> Hello C-NSP members. I am looking for some good examples of
> "router-protect" ACLs or FW filters. On my "J" gear, I have several
> firewall filters designed to protect the control-plane that simply
> get applied to the loopback. Now only certain hosts/networks can make
> SSH, FTP, TCP179, etc., connections "to" the routers.

Which platform?

>
> Are there some templates or examples I can find? I haven't played
> much with CoPP and don't hear a lot of accolades for doing this. The
> other obvious question would be "does this run in hardware or in
> software?". Hmm, doubt if the packet ASICs are processing ACL's.

Provided QoS is globally enabled with "mls qos", CoPP is done in 
hardware[1] on 6500/sup720, by adding QoS policy-maps into the PFC/DFC 
qos path.

[1] Well mostly in hardware - some types of traffic are filtered in 
software because of the way they're punted to CPU, but "normal" unicast 
IPv4 traffic is rate-limited in hardware per-PFC/DFC then the aggregates 
are limited again in software.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list