On Wed, 2010-12-15 at 19:56 +1000, Edward avanti wrote: > I understood that ACL on int's were transitting traffic and ACL on line was > to the router?
Unfortunately not; the interface ACL is applied before the router finds out if the packet is destined for itself or not, so you need the interface ACL to permit the same traffic that you permit in your line ACLs, SNMP ACLs et cetera. All the control-plane ACLs are handled in process switching, so you have no benefit from hardware enforced ACLs or interrupt based CEF drops*. Limiting as much as possible in your interface ACL helps the router to better survive DoS attempts. *) Cat6500 has CoPP to help. Other platforms might have similar tools. -- Peter _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
