[c-nsp] Sup2T interface ACL limitations

Dobbins, Roland rdobbins at arbor.net
Mon Dec 16 10:01:38 EST 2013


On Dec 10, 2013, at 12:38 AM, Rolf Hanßen <nsp at rhanssen.de> wrote:

> I am thinking about dropping some (mainly ddos) traffic on the outside network borders with ACLs.

ACLs don't work well as a DDoS reaction mechanism.  They're good for protecting your network infrastructure:

<https://app.box.com/s/osk4po8ietn1zrjjmn8b>

S/RTBH is much better as a DDoS reaction mechanism:

<https://app.box.com/s/xznjloitly2apixr5xge>

All the caveats folks have noted about ACLs hold true.  

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton




More information about the cisco-nsp mailing list