On Mar 24, 2010, at 4:06 PM, Saku Ytti wrote: > I'd say often > this is not feasible, which is why we have rACL and CoPP.
Of course it's feasible - *far more so* than rACL or CoPP, IMHO. It's easier to accomplish and apply. It's amazing how folks seem to grossly overestimate the effort required to implement this simple, direct concept. It isn't hard to do, it requires far less detailed knowledge of the 'to-me' traffic one's routers encounter, and is generalizable across multiple platforms. I guess people are so used to messing around with relatively dynamic policy ACLs that they have it fixed in their heads that any ACL is going to be complex and a hassle to maintain. Not so with iACLs, given that it's going to be relatively small and also relatively static. > Of course if you are running older linecards, ingress ACL may not have > hardware, but is purely in software (E0, E1). If one is still running these on one's edges, one has larger problems, heh. ----------------------------------------------------------------------- Roland Dobbins <[email protected]> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
