[c-nsp] Sup720 CoPP, limits on CPU performance
Dobbins, Roland
rdobbins at arbor.net
Wed Mar 24 10:15:39 EDT 2010
On Mar 24, 2010, at 8:33 PM, Saku Ytti wrote:
> How would you stop attack from Internet towards PE side address of hosting customer subnet?
Either deploy a limited iACL on the IDC distribution gateway core uplinks which denies externally-originated traffic to the default gateway addresses for the access networks; or if you've an aggregation layer in your IDC, on the northbound interfaces of those boxes (use some script-fu to automate the generation of said limited iACL, in either case); or use CoPP, the policies for which have been vastly simplified due to your iACL deployment.
And you've nothing to do at all for your core, as it's protected by the 'force field' iACLs deployed at all edges.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
More information about the cisco-nsp
mailing list