[c-nsp] ACL querry
Peter Rathlev
peter at rathlev.dk
Wed Dec 15 13:46:05 EST 2010
On Wed, 2010-12-15 at 19:56 +1000, Edward avanti wrote:
> I understood that ACL on int's were transitting traffic and ACL on line was
> to the router?
Unfortunately not; the interface ACL is applied before the router finds
out if the packet is destined for itself or not, so you need the
interface ACL to permit the same traffic that you permit in your line
ACLs, SNMP ACLs et cetera.
All the control-plane ACLs are handled in process switching, so you have
no benefit from hardware enforced ACLs or interrupt based CEF drops*.
Limiting as much as possible in your interface ACL helps the router to
better survive DoS attempts.
*) Cat6500 has CoPP to help. Other platforms might have similar tools.
--
Peter
More information about the cisco-nsp
mailing list