[c-nsp] IP Options Drop
Phil Mayers
p.mayers at imperial.ac.uk
Mon Apr 21 06:53:59 EDT 2014
Not sure I know what you mean by "drop on line card" but sup2t has platform rate-limiters for unicast and mcast options in a similar way to sup720. However you can also disable those limiters and use one of the magic class-map to match options in CPP instead.
Judicious use of an earlier sequence class in the CPP policy would then let you whitelist some sources.
Not sure if you can write an acl to match options on sup2t in tcam but my gut feeling is not. Sadly cannot test as our sole sup2t is in service and is crash-prone when manipulating CPP :o(
--
Sent from my phone with, please excuse brevity and typos
More information about the cisco-nsp
mailing list