[c-nsp] Is there anyway to adjust the administrative distance for 'connected'?
Nathan
have.an.email at gmail.com
Mon Feb 18 06:51:00 EST 2008
On Feb 15, 2008 2:27 AM, Drew Weaver <drew.weaver at thenap.com> wrote:
> I'm trying to make it impossible for hosts whom are 'blackholed' to even send traffic to their 'default gateway' or hosts whom are connected to the same 'distribution' switch that the blackholed host are connected to. The Blackhole routes have an administrative distance of 1 currently and as we all know normally 'connected networks' have an AD of 0.
Maybe I'm not understanding your problem, but don't the blackhole
routes only prevent traffic from coming back to the blackholed host ?
I don't understand how setting a route for an IP prevents the host
from sending traffic, unless you have automatic anti-spoofing (ip
verify . . .)
If I had a machine connected to one of my switches that I wanted to
stop from sending traffic even to their default gateway, I'd shut down
the port :-) Maybe blackholing is easier/safer to do from a network
monitoring script, of course.
HTH,
--
Nathan
More information about the cisco-nsp
mailing list