[c-nsp] Nexus 7k CoPP

Anton Kapela tkapela at gmail.com
Fri May 21 17:31:07 EDT 2010


On May 21, 2010, at 5:19 PM, Ziv Leyes wrote:

> ip access-list extended CP-CRITICAL-ROUTING
> permit tcp any any eq bgp

[snip]

L4-only matches are a suboptimal (this is a polite understatement) way to use CoPP any platform I'm familiar with. I recommend that nobody do this, especially for routing protocols. ACL's for routing protocols (ospf, bgp, etc) in CoPP-policies should match specific layer3 hosts (or aggregated prefixes, if you number links that way) which you explicitly expect IP packets from. 

-Tk


More information about the cisco-nsp mailing list