[c-nsp] Nexus 7k CoPP
Dobbins, Roland
rdobbins at arbor.net
Sun May 23 21:18:49 EDT 2010
On May 24, 2010, at 4:51 AM, Lincoln Dale wrote:
> the irony is that CoPP is actually a superior solution to the problem, as CoPP is enforced in the h/w forwarding path - whereas a vty access-class is applied in software once the packets have already hit the control-plane.
The best way to accomplish this is to deploy iACLs first and CoPP later, IMHO. iACLs are much easier to craft, run in hardware - and they protect not only edge devices, but everything behind those edge devices.
Here's a link to a presentation which discusses infrastructure self-protection, including both iACLs and CoPP:
<http://files.me.com/roland.dobbins/prguob>
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
More information about the cisco-nsp
mailing list