I've heard of a particular hosting provider that blocks traffic ingress to gateways, network and broadcast addresses assigned to customer 'connected' interfaces at their edge using scripts, etc but this type of thing doesn't seem like it would scale very well.
It seems like it may make more sense to see if there could be a command added to IOS that denotes these VLANs or Physical interfaces as customer interfaces that tells it to protect the switch from traffic hitting these ports, but then again nothing is ever that easy. -Drew -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dobbins, Roland Sent: Wednesday, March 24, 2010 10:16 AM To: Cisco-nsp Subject: Re: [c-nsp] Sup720 CoPP, limits on CPU performance On Mar 24, 2010, at 8:33 PM, Saku Ytti wrote: > How would you stop attack from Internet towards PE side address of hosting > customer subnet? Either deploy a limited iACL on the IDC distribution gateway core uplinks which denies externally-originated traffic to the default gateway addresses for the access networks; or if you've an aggregation layer in your IDC, on the northbound interfaces of those boxes (use some script-fu to automate the generation of said limited iACL, in either case); or use CoPP, the policies for which have been vastly simplified due to your iACL deployment. And you've nothing to do at all for your core, as it's protected by the 'force field' iACLs deployed at all edges. ----------------------------------------------------------------------- Roland Dobbins <[email protected]> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
