[c-nsp] Update: DOS Mitigation on MPLS Networks
Bruce Pinsky
bep at whack.org
Wed Apr 13 17:53:49 EDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gert Doering wrote:
| Hi,
|
| On Wed, Apr 13, 2005 at 10:44:52AM -0700, Bruce Pinsky wrote:
|
|>| #CONFIG ON PE NEAREST VICTIM (CONFIGURED WHEN NEEDED)
|>|
|>| !! If your victim is on 5.6.7.8..
|>| ip prefix-list poison permit 5.6.7.8/32
|>| ip route 5.6.7.8 255.255.255.255 1.2.3.4
|>| !
|>
|>Am I missing something or is setting the static route to 1.2.3.4 not
|>required since you are setting the next-hop to that via the route-map? It
|>seems redundant to me.
|
|
| You need to get the route into BGP some way, initially :-) - and
| "redist static" (with prefix-list) is one of the easier ways.
|
Ah, sorry, I'm thinking that the shorter mask prefix is already in BGP and
you merely need to change the next hop. Or that you are taking a BGP feed
from another source for your blackhole prefixes/hosts and again you merely
need to change the nexthop.
So, yes I see your point if the host route is not present and you wish to
blackhole it.
| I'd rather not do it with a prefix-list, because that means you need
| to adapt the prefix list *and* the static route every time. Using
| route tags
|
| ip route 5.6.7.8 255.255.255.255 1.2.3.4 tag 1234
|
| and then matching in a redistribute route-map on the tag is "just one
| step".
|
Yeah, blech.
- --
=========
bep
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFCXZTtE1XcgMgrtyYRAptQAJ9z87PnR5+mNj9CCQWc1+H6M2gxCQCeOkj/
5yIrb7g+iWNxxreiEC8AAR0=
=hE++
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list