[c-nsp] Sup720 CoPP, limits on CPU performance

Saku Ytti saku at ytti.fi
Wed Mar 24 11:00:36 EDT 2010


On (2010-03-24 14:15 +0000), Dobbins, Roland wrote:

> > How would you stop attack from Internet towards PE side address of hosting customer subnet?
> 
> Either deploy a limited iACL on the IDC distribution gateway core uplinks which denies externally-originated traffic to the default gateway addresses for the access networks; or if you've an aggregation layer in your IDC, on the northbound interfaces of those boxes (use some script-fu to automate the generation of said limited iACL, in either case); or use CoPP, the policies for which have been vastly simplified due to your iACL deployment.

Typical MPLS based network, packet is label swithed to egress PE, so no ACL
in the middle.
So either we update iACL in 100k's of interfaces every time new customer
gets provisioned with this script-fu or we run CoPP.

Maybe we should just agree that networks who do not have CPE-less customers
can put iACL everywhere while networks who have CPE-less customers will
have much easier time with iACL only in peering/transit edge and CoPP
elsewhere.

-- 
  ++ytti


More information about the cisco-nsp mailing list