On 03/12/10 16:30, Bill Blackford wrote:
Hello C-NSP members. I am looking for some good examples of "router-protect" ACLs or FW filters. On my "J" gear, I have several firewall filters designed to protect the control-plane that simply get applied to the loopback. Now only certain hosts/networks can make SSH, FTP, TCP179, etc., connections "to" the routers.
Which platform?
Are there some templates or examples I can find? I haven't played much with CoPP and don't hear a lot of accolades for doing this. The other obvious question would be "does this run in hardware or in software?". Hmm, doubt if the packet ASICs are processing ACL's.
Provided QoS is globally enabled with "mls qos", CoPP is done in hardware[1] on 6500/sup720, by adding QoS policy-maps into the PFC/DFC qos path.
[1] Well mostly in hardware - some types of traffic are filtered in software because of the way they're punted to CPU, but "normal" unicast IPv4 traffic is rate-limited in hardware per-PFC/DFC then the aggregates are limited again in software.
_______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/