[c-nsp] Nexus 7k CoPP
Anton Kapela
tkapela at gmail.com
Fri May 21 17:31:07 EDT 2010
On May 21, 2010, at 5:19 PM, Ziv Leyes wrote:
> ip access-list extended CP-CRITICAL-ROUTING
> permit tcp any any eq bgp
[snip]
L4-only matches are a suboptimal (this is a polite understatement) way to use CoPP any platform I'm familiar with. I recommend that nobody do this, especially for routing protocols. ACL's for routing protocols (ospf, bgp, etc) in CoPP-policies should match specific layer3 hosts (or aggregated prefixes, if you number links that way) which you explicitly expect IP packets from.
-Tk
More information about the cisco-nsp
mailing list