[c-nsp] Dual purpose of a rate-limit access-group or a route-map

[Amol Sapkal]

Guys,
I dunno if this qualifies for bad design, but today morning, when I
had a DoS attack from one of my client machines I did this:

The client was rate-limited via a access-group on one of my FE
subinterfaces. I added a deny statement at the top of this
access-group.
    Though the deny stmt did show me matches, I am not sure if it
actually executed the deny, as it was not applied as an access-list on
the interface.

Now I am wondering, if this is a good way of blocking traffic and also
implementing CAR or source based policy routing.

Like, I can even have a route-map, which can do things like setting
next hops for a particular access-list but at the same time block
traffic since I can put a deny statement in the access-list.

Will the above 2 scenarios help in denying traffic or am I
misunderstanding the way access-list works for a CAR/ route-map?



-- 
Warm Regds,

Amol Sapkal

--------------------------------------------------------------------
An eye for an eye makes the whole world blind 
- Mahatma Gandhi
--------------------------------------------------------------------