[c-nsp] Securing IAD control plane / RTP not hitting CoPP?

Roland Dobbins rdobbins at arbor.net
Thu Aug 7 12:26:28 EDT 2014


On Aug 7, 2014, at 11:11 PM, randal k <cisconsp at data102.com> wrote:

> So, we have deployed a demo control-plane based policer/dropper to make sure that the WAN interface ACL doesn't have to be perfect (or even be
> there, which is the goal).

If these devices are all on networks under your administrative control, it's generally far better to drop undesirable packets at the edge, and far easier to get an iACL and/or tACL right and deploy on edge interfaces, than to get CoPP right.

CoPP is a Good Thing, don't get me wrong - but it should come second after iACLs and relevant tACLs, IMHO.

OTOH, if they're deployed on networks not under your control, then individual iACLs/tACLs combined with CoPP is probably the best answer.

----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

                   Equo ne credite, Teucri.

    		   	  -- Laocoön




More information about the cisco-nsp mailing list