[c-nsp] Sup720 CoPP, limits on CPU performance

[Drew Weaver]

I've heard of a particular hosting provider that blocks traffic ingress to gateways, network and broadcast addresses assigned to customer 'connected' interfaces at their edge using scripts, etc but this type of thing doesn't seem like it would scale very well. 

It seems like it may make more sense to see if there could be a command added to IOS that denotes these VLANs or Physical interfaces as customer interfaces that tells it to protect the switch from traffic hitting these ports, but then again nothing is ever that easy.

-Drew


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dobbins, Roland
Sent: Wednesday, March 24, 2010 10:16 AM
To: Cisco-nsp
Subject: Re: [c-nsp] Sup720 CoPP, limits on CPU performance


On Mar 24, 2010, at 8:33 PM, Saku Ytti wrote:

> How would you stop attack from Internet towards PE side address of hosting customer subnet?

Either deploy a limited iACL on the IDC distribution gateway core uplinks which denies externally-originated traffic to the default gateway addresses for the access networks; or if you've an aggregation layer in your IDC, on the northbound interfaces of those boxes (use some script-fu to automate the generation of said limited iACL, in either case); or use CoPP, the policies for which have been vastly simplified due to your iACL deployment.

And you've nothing to do at all for your core, as it's protected by the 'force field' iACLs deployed at all edges.


-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken




_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/