On Mar 24, 2010, at 8:33 PM, Saku Ytti wrote: > How would you stop attack from Internet towards PE side address of hosting > customer subnet?
Either deploy a limited iACL on the IDC distribution gateway core uplinks which denies externally-originated traffic to the default gateway addresses for the access networks; or if you've an aggregation layer in your IDC, on the northbound interfaces of those boxes (use some script-fu to automate the generation of said limited iACL, in either case); or use CoPP, the policies for which have been vastly simplified due to your iACL deployment. And you've nothing to do at all for your core, as it's protected by the 'force field' iACLs deployed at all edges. ----------------------------------------------------------------------- Roland Dobbins <[email protected]> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
