On Tue, 10 Dec 2019 at 19:08, Aaron Gould <aaron1 at gvtc.com> wrote: > - policers of well-known *good* ports/protocols (like ntp, dns, etc) to some realistic level You might want to downpref these to a scavanger class, instead of police. Since ultimately policing makes it just easier to ddos the service, which is actually needed. -- ++ytti