On Mar 24, 2010, at 9:13 PM, Gert Doering wrote: > I assumed that you wanted to include *all* IP addresses > configured on routers in the iACL - and that's quite impractical.
Actually, it is practical, if you use some script-fu to generate a limited iACL for your access network default gateway addresses, and deploy that on the IDC distribution gateway core uplinks, or on the northbound interfaces of your aggregation-layer IDC boxes. It can be automated as part of your customer provisioning process. > ... and this is why I want "properly-implemented" rACLs and/or CoPP, to > protect those IP addresses that can't be put in iACLs. Sure, I understand what you're saying, and it makes perfect sense; the above may be a viable workaround, in the meantime, or the *vastly simplified* CoPP policies made possible by an edge-wide iACL deployment. ----------------------------------------------------------------------- Roland Dobbins <[email protected]> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
