[c-nsp] Sup720 CoPP, limits on CPU performance
Dobbins, Roland
rdobbins at arbor.net
Wed Mar 24 10:23:29 EDT 2010
On Mar 24, 2010, at 9:13 PM, Gert Doering wrote:
> I assumed that you wanted to include *all* IP addresses
> configured on routers in the iACL - and that's quite impractical.
Actually, it is practical, if you use some script-fu to generate a limited iACL for your access network default gateway addresses, and deploy that on the IDC distribution gateway core uplinks, or on the northbound interfaces of your aggregation-layer IDC boxes. It can be automated as part of your customer provisioning process.
> ... and this is why I want "properly-implemented" rACLs and/or CoPP, to protect those IP addresses that can't be put in iACLs.
Sure, I understand what you're saying, and it makes perfect sense; the above may be a viable workaround, in the meantime, or the *vastly simplified* CoPP policies made possible by an edge-wide iACL deployment.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
More information about the cisco-nsp
mailing list