[j-nsp] M7i w/ASM for cflowd / fw

[Erik Haagsman]

On Wed, 2005-04-13 at 15:18 +0200, Rutger Bevaart wrote:
> ok. using sampled netflow is sufficient, but this uses the fxp1 interface
> right? so it could theoretically impact my BGP neighbor sessions (~50
> sessions) that frequently use that interface. are there any limiting
> functions available to restrict the netflow sampling clogging up the RE
> interface to the PFE?

You can limit the amount of packets to the RE in your forwarding
options, not sure what the default value is, but you'll usually wear out
your RE before clogging up the fxp anyway

> but that would then only protect that specific router. say i'd like to do
> an ACL (Cisco style) such as "access-list 100 deny ip any <aggregate of
> infra>". This would deny all traffic having a destionation IP address
> belonging to any router in my network (assuming they are summarized into 1
> route). Can that be (efficiently) done without an ASM?

No prob, input and output filters are easily handled with "just" an RE,
it's just things like stateful firewalling and beefier flow tools where
the Adaptive Service Module comes into play.

Cheers,

-- 
---
Erik Haagsman
Network Architect
We Dare BV
Tel: +31(0)10-7507008
Fax: +31(0)10-7507005
http://www.we-dare.nl