[c-nsp] CoPP for SSH on nexus 7k. Confused!
Lincoln Dale
ltd at cisco.com
Wed Oct 20 18:16:00 EDT 2010
On 21/10/2010, at 2:49 AM, Justin M. Streiner wrote:
> It's my understanding that more IOS-like VTY ACLs are coming NX-OS 5.1,
indeed, NX-OS 5.1 does have VTY ACLs:
ltd-n7010-1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
ltd-n7010-1(config)# line vty
ltd-n7010-1(config-line)# ip access-class ?
WORD List name (Max Size 64)
ltd-n7010-1(config-line)# ip access-class foo ?
in Inbound packets
out Outbound packets
note however that CoPP is still (in many cases) superior as its h/w data plane providing the protection before the packets get to control plane whereas VTY ACLs are in software on the control plane itself.
i guess one could provide best-of-both-worlds by using an "established" CoPP policy with a high rate and a low rate of protection via CoPP for the initial syn/synack session setup.
>
> which was supposed to be out last month, but wasn't on CCO the last time I looked (late last week).
"on time" or "quality". pick one. :)
it will be out before the end of the month.
cheers,
lincoln.
More information about the cisco-nsp
mailing list