[c-nsp] Sup720 CoPP, limits on CPU performance

Dobbins, Roland rdobbins at arbor.net
Wed Mar 24 05:24:12 EDT 2010


On Mar 24, 2010, at 4:06 PM, Saku Ytti wrote:

>  I'd say often
> this is not feasible, which is why we have rACL and CoPP.

Of course it's feasible - *far more so* than rACL or CoPP, IMHO.  It's easier to accomplish and apply.

It's amazing how folks seem to grossly overestimate the effort required to implement this simple, direct concept.  It isn't hard to do, it requires far less detailed knowledge of the 'to-me' traffic one's routers encounter, and is generalizable across multiple platforms.

I guess people are so used to messing around with relatively dynamic policy ACLs that they have it fixed in their heads that any ACL is going to be complex and a hassle to maintain.

Not so with iACLs, given that it's going to be relatively small and also relatively static.

> Of course if you are running older linecards, ingress ACL may not have
> hardware, but is purely in software (E0, E1).

If one is still running these on one's edges, one has larger problems, heh.


-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken






More information about the cisco-nsp mailing list