[45115] in North American Network Operators' Group
Re: Growing DoS attacks
daemon@ATHENA.MIT.EDU (Joe Abley)
Thu Jan 17 09:37:05 2002
Date: Thu, 17 Jan 2002 09:36:33 -0500
From: Joe Abley <jabley@automagic.org>
To: Vincent Gillet <vgi@zoreil.com>
Cc: nanog@merit.edu
Message-ID: <20020117093632.X5577@buffoon.automagic.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020117143221.GE10536@opentransit.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, Jan 17, 2002 at 03:32:21PM +0100, Vincent Gillet wrote:
> jabley@automagic.org disait :
>
> > > rate-limite and/or traffic filtering may be available on some
> > > box (GSR) but cannot run concurently with other feature (NetFlow).
> >
> > I seem to have just found out that ACLs and sampled NetFlow can
> > both be configured concurrently on routers running IOS >= 12.0(18)S.
>
> All can be configured concurently .... but you have a message
> from line card that Netflowx has been stopped because another feature
> is activated.
Right. That is the behaviour that I have been led to believe
no longer happens past 12.0(18)S; supposedly, on 12.0(18)S and
greater, ACL and SNF can both be configured concurrently such
that both features work concurrently.
If you know different, I would love to hear about it :)
> Below is feedback i received from Cisco :
>
> 1. There is no incompatibilities on E0,1,3,4 but some features are not
> available on some E
> 2. For E2 in 17S, here are the priorities:
> ACLs
> SNF
> PIRC
> IP Coloring
> BGP Policy accounting
> FR Traffic policing which is not FR traffic shaping
>
> Beside, output ACL are done at ingress (before forwarding),
> thus output ACL activate input filtering on all LC ...
That gels nicely with what I have been told; an input ACL on
an interface disables SNF on that interface, while an output ACL
on any interface disables SNF on the entire router.
Joe
