What you are saying makes sense to me. I'm just wondering if a more stringent CoPPs policy could be used in place of the VTY ACL. Understanding that the CoPPs policy already could be used to replace control plane specific access on the serial/Ether/ATM type interfaces.....
-Hammer- "I was a normal American nerd." -Jack Herer On Wed, Mar 2, 2011 at 6:26 PM, Rogelio Gamino <[email protected]> wrote: > See comments below... > > > On Mar 2, 2011, at 4:35 PM, Hammer wrote: > > > So if you apply an ACL to the VTY that says permit ip host 10.10.10.1 > host > > 1.1.1.1 (lo0 on router) eq 22 and you have transport input telnet VTY > lines > > then the only thing you have done is forced yourself to telnet to your > > router over port 22. > > I don't think the ACL changes the port the management protocol (ie. telnet, > ssh) listens on. I think you would use the rotary command under the VTY to > do that. > > > > > Here's my confusion. Is this redundant to CoPPs? I understand with policy > > maps on CoPPs I have a greater degree of control but in the end, it's > > redundant I think. > > My understanding of CoPP is that it is used to protect the device's CPU > from for example excessive connections that terminate on the device or any > packet that the device would have to process in CPU and not in hardware. > CoPP not only allows you to rate limit the traffic but it also allows you to > permit/deny the source of the traffic terminating on the device itself. This > way you don't have to apply an access-list to every L3 interface on the > device to protect it (which could be a pain to manage on routers with a lot > of interfaces). CoPP is also a more efficient way to protect the device > since it won't have to process (inspect) every packet going through it but > only traffic terminating on it. > > > HTH, > > Rogelio _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
