[nsp] what does cisco NAT do with errant packets?
Gert Doering
gert at greenie.muc.de
Wed Jan 22 21:38:12 EST 2003
Hi,
On Wed, Jan 22, 2003 at 11:04:41AM -0800, Mark Kent wrote:
> >> Of course we all do "ip verify unicast reverse" and will drop the packet
> >> as soon as it bounces back, no? :-)
>
> The answer is No, I filter instead... and this is why: I have a
> customer that has a bunch of dynamic dialups and his gateway cisco
> learns the assigned /32 via ospf. Unfortunately, he doesn't have his
> net tied down at the edge so when x.y.z.w/32 disappears from his net,
> and packets are still coming in from the Internet for x.y.z.w/32 then
> his gateway cisco stuffs them back on the T1 going to me and the
> vicious circle begins.
Hmmm.
> Specifically, I observed that
> "ip verify unicast reverse"
> does _not_ drop these packets even though they have a
> source _not_ from the far side of the T1.
> (the source is the globalIP and the destination is on his net)
Sounds like a bug and/or CEF not being enabled on that interface.
For me, this specific setup works just fine - the packets are thrown
away and everything is well.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de
More information about the cisco-nsp
mailing list