On (2010-03-24 13:18 +0000), Dobbins, Roland wrote: > There's a 'permit IP any any' at the end of the iACL after the explicit > denies for one's own netblocks; for something which you want pingable via > hosting/colo customers, like a default gateway in the case you describe, just > use QoS. > > Note that the default gateway will be drawn from the access netblockss, not > the infrastructure netblocks covered by the iACL. > There's no need to add all the hosting/colo customers to the iACLs, that I > can see . . .
How would you stop attack from Internet towards PE side address of hosting customer subnet? These are not aggregatable, so you can't make iPolicer or iACL in the edge, as that would also affect the traffic towards customer network. int foo ip address 192.0.2.1 255.255.255.0 ! How do you protect 192.0.2.1 from being dossed, while allowing unrestricted access to 2-254? My answer has always been CoPP, and as I require CoPP, adding iACL to every customer interface seems just extra effort with no particular payback. -- ++ytti _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
