[c-nsp] Sup720 CoPP, limits on CPU performance
Saku Ytti
saku at ytti.fi
Wed Mar 24 09:33:54 EDT 2010
On (2010-03-24 13:18 +0000), Dobbins, Roland wrote:
> There's a 'permit IP any any' at the end of the iACL after the explicit denies for one's own netblocks; for something which you want pingable via hosting/colo customers, like a default gateway in the case you describe, just use QoS.
>
> Note that the default gateway will be drawn from the access netblockss, not the infrastructure netblocks covered by the iACL.
> There's no need to add all the hosting/colo customers to the iACLs, that I can see . . .
How would you stop attack from Internet towards PE side address of hosting
customer subnet?
These are not aggregatable, so you can't make iPolicer or iACL in the edge,
as that would also affect the traffic towards customer network.
int foo
ip address 192.0.2.1 255.255.255.0
!
How do you protect 192.0.2.1 from being dossed, while allowing unrestricted
access to 2-254? My answer has always been CoPP, and as I require CoPP,
adding iACL to every customer interface seems just extra effort with no
particular payback.
--
++ytti
More information about the cisco-nsp
mailing list