ASR1002 and a few fixed switches pretending they're routers. Mostly the ASRs.
-b -----Original Message----- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil Mayers Sent: Friday, December 03, 2010 9:18 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Control-Plane Filters/ACLs On 03/12/10 16:30, Bill Blackford wrote: > Hello C-NSP members. I am looking for some good examples of > "router-protect" ACLs or FW filters. On my "J" gear, I have several > firewall filters designed to protect the control-plane that simply > get applied to the loopback. Now only certain hosts/networks can make > SSH, FTP, TCP179, etc., connections "to" the routers. Which platform? > > Are there some templates or examples I can find? I haven't played > much with CoPP and don't hear a lot of accolades for doing this. The > other obvious question would be "does this run in hardware or in > software?". Hmm, doubt if the packet ASICs are processing ACL's. Provided QoS is globally enabled with "mls qos", CoPP is done in hardware[1] on 6500/sup720, by adding QoS policy-maps into the PFC/DFC qos path. [1] Well mostly in hardware - some types of traffic are filtered in software because of the way they're punted to CPU, but "normal" unicast IPv4 traffic is rate-limited in hardware per-PFC/DFC then the aggregates are limited again in software. _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/