[c-nsp] ACL to block udp/0?
Saunders, D'Wayne
DWayne.Saunders at team.telstra.com
Tue Dec 5 16:31:42 EST 2023
Howdy on my phone so no detail but the Flow being reported will be due to fragments and not necessarily port 0
The below link has details on how to block fragments
<https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html>
Access Control Lists and IP Fragments<https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html>
cisco.com<https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html>
[favicon.ico]<https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html>
D’Wayne Saunders
On 6 Dec 2023, at 08:27, Hank Nussbacher via cisco-nsp <cisco-nsp at puck.nether.net> wrote:
[External Email] This email was sent from outside the organisation – be cautious, particularly with links and attachments.
We encountered something strange. We run IOS-XR 7.5.2 on ASR9K platform.
Had a user under udp/0 attack. Tried to block it via standard ACL:
ipv4 access-list block-zero
20 deny udp any any eq 0
30 deny tcp any any eq 0
40 permit ipv4 any any
Applied to interface:
ipv4 access-group block-zero ingress
ipv4 access-group block-zero egress
Yet, based on Kentik, we had no effect and the udp/0 attack just
continued - as if the Cisco ACL is totally ignored. Or am I missing
something in the ACL listed above?
Thanks,
Hank
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list