[c-nsp] Securing IAD control plane / RTP not hitting CoPP?
randal k
cisconsp at data102.com
Thu Aug 7 16:34:17 EDT 2014
>
> If these devices are all on networks under your administrative control,
> it's generally far better to drop undesirable packets at the edge, and far
> easier to get an iACL and/or tACL right and deploy on edge interfaces, than
> to get CoPP right.
>
I completely agree, the problem is that I have many, many of these things
-- mostly on-net, maybe 20% off-net -- and keeping up the edge iACLs, the
per-device iACL+tACLs is turning into a gargantuan time-eating task, even
with automation in place. Our goal is to be able to do location-independent
configs, such that the device templates are not ever-changing, and at the
same time trying to dodge a configuration database engine (which I've never
seen work reliably) -- for these guys, it appears CoPP is the route to
accomplish that.
Anybody have any input on the RTP-not-hitting-CoPP-ACLs question?
Thanks!
Randal
More information about the cisco-nsp
mailing list