[c-nsp] Protecting a sup2/msfc2 in 2010: CoPP the "hard way"
Dobbins, Roland
rdobbins at arbor.net
Sun Mar 21 15:07:06 EDT 2010
On Mar 22, 2010, at 1:43 AM, Anton Kapela wrote:
> iACL at borders makes plenty of sense, but what about the rest of the interfaces & platforms within it?
It also includes internal edges such as the IDC distribution gateway edge, facing southbound towards the aggregation/access networks.
If one's overall security posture is such that attackers can get into one's core infrastructure and cause problems at one's edges, one has problems mere technology cannot solve.
;>
I'm not saying that CoPP and HWRL are Bad Things - quite the contrary, they're Good Things. But you can get 90% or more of what you get from CoPP/HWRL via iACLs in exchange for much less effort - and since you have to do ACLs at your various edges anyways in order to enforce policy for traffic headed to/from your external DNS resolvers, Web portals, et. al., why not go ahead and add the iACL stanzas to those edge ACLs?
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
More information about the cisco-nsp
mailing list