[c-nsp] Surviving denial of service from certain IPs
Peter Rathlev
peter at rathlev.dk
Fri Jul 25 10:18:52 EDT 2008
Hi Mario,
On Fri, 2008-07-25 at 16:32 +0300, Mario Spinthiras wrote:
> set interface does not work.
How does it not work? Will it not accept the command, or does it not
give you what you expect? And what platform/IOS is it?
> As far as the ACL statements , it seems as if the route-map treats
> the ACL differently. deny any any works fine despite the sequential
> nature of the ACL matching process.
Hm... I find that strange. But maybe IOS is strange sometimes. :-)
Arie's solution with uRPF is probably the best, and it's really quite
simple. When you configure an interface with "ip verify unicast source
reachable-via any" and then use Null0-routes for unwanted traffic. That
way packets sourced from or destined to that prefix are thrown away.
Regards,
Peter
More information about the cisco-nsp
mailing list