[cisco-bba] ACLs on Virtual-Access templates

Frank Bulk frnkblk at iname.com
Tue Feb 3 02:38:00 EST 2009

Yes, that did the trick, thanks.  Listing the ATM port and vp/vc wouldn't
hurt, either, though. =)

I'm not interesting in monitoring uRPF hits via SNMP at this time, though --
I'm looking to get the specificity of uRPF to block spoofed source traffic
and leave my inbound ACL on the Virtual-Template for block RFC1918 traffic,
but as I posted just a few minutes ago, that ACL doesn't seem to be working.


-----Original Message-----
From: cisco-bba-bounces at puck.nether.net
[mailto:cisco-bba-bounces at puck.nether.net] On Behalf Of Euan Galloway
Sent: Sunday, February 01, 2009 10:24 AM
To: cisco-bba at puck.nether.net
Subject: Re: [cisco-bba] ACLs on Virtual-Access templates

On Sat, Jan 31, 2009 at 10:58:49PM -0600, Frank Bulk wrote:
> Just to add to that, is there a way that the Virtual-interface that's
> the spoofing can be identified?  The log entries for the ACL hits don't
> anything but the spoofed IP, but I don't know which connection is doing

log-input instead of log on the deny line of access-list 125 which matches
the spoofed traffic?

For uRPF hits you already included the show int output which includes the
counter which increments on each drop. i
Not checked how easily monitorable those are, but...
implies that are least some of the RPF information is exposed via SNMP in
recentish code. (I wonder if those appear if you use no virtual-template
for scalabilty).

Euan Galloway
cisco-bba mailing list
cisco-bba at puck.nether.net

More information about the cisco-bba mailing list