[c-nsp] Protecting a sup2/msfc2 in 2010: CoPP the "hard way"
Anton Kapela
tkapela at gmail.com
Sun Mar 21 14:43:51 EDT 2010
On Mar 21, 2010, at 2:29 PM, Dobbins, Roland wrote:
>> I also argue that maintaining a flattened-out input ACL blocking packets to receive adjacencies puts the engineering effort-required slider up a few notches; I appreciate the clean/simple nature of CoPP and dislike loading up ACL cam, per port, with repetitive filters, across all or most port
Yup, I typed that one ;) I've never been so much on the opposing side to another opinion:
>> From my standpoint, it's a whole lot *easier* to generate an iACL than making use of the HWRL (or using CoPP), and it only has to be applied to edge interfaces on edge boxes, nowhere else. And it's the same on every box, irrespective of platform. The only prerequisite is a rational, summarizable IP addressing plan for one's loopbacks and p2p interfaces
I am also concerned with the sources of "attack bits" which are located on or within the network/AS -- iACL at borders makes plenty of sense, but what about the rest of the interfaces & platforms within it?
-Tk
More information about the cisco-nsp
mailing list