On Mar 24, 2010, at 3:46 PM, Phil Mayers wrote: > ...which brings us back to having to fill a gigantic ACL with hundreds, > potentially thousands of router interface IPs from potentially arbitrary > subnets.
Um, no. It means having a rational, easily-summarizable IP addressing plan for your loopbacks and p2p interfaces, so that only a few entries are required to keep unwanted packets off them. That's all. > As I said, the router knows these IPs, so I don't understand why it > can't populate an object-group (in sufficiently recent IOS) allowing > it's use in either iACLs or CoPP. This would be a good idea for a feature, but iACLs are quite doable even in its absence. ----------------------------------------------------------------------- Roland Dobbins <[email protected]> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
