[c-nsp] Sup720 CoPP, limits on CPU performance
Saku Ytti
saku at ytti.fi
Wed Mar 24 07:51:13 EDT 2010
On (2010-03-24 10:15 +0000), Dobbins, Roland wrote:
> And I've implemented it on operational networks of non-trivial size for which I myself was responsible, as well as having worked with others responsible for networks of non-trivial size to implement.
>
> So, having having implemented iACLs myself and helped others do so, I fail to see why they seem so scary to some folks, heh.
Bottom line is, you have typically modern and homogeneous edge towards
higher speed connections, such as transit and peering. And most people
implement iACL there. It is lot less trivial for every customer interface.
And even if you can do iACL everywhere, you still need CoPP to protect IP
addresses which are not aggregatable in iACL. Take hosting customer, their
default GW is PE, would you add all of these addresses to 100k's of iACL
when ever new customer is provisioned?
As you are forced to do CoPP in any case for full protection, it seems
rather useless to add iACL to 100k's of interfaces, when transit/peering is
where it matters.
So CoPP will take care of attacks originating from your network (untypical)
and attacks towards customer assigned IP's attached to your router
(typical). iACL will take care of attacks from Internet towards your
infrastructure (typical).
--
++ytti
More information about the cisco-nsp
mailing list