[nsp] Filter based forwarding
micky
micky at apol.com.tw
Tue Nov 4 20:57:24 EST 2003
Dear james
How do I verify this filter is working ?
I used ping with carrying different bytes in the windows,it still
worked,wasn't dropped by this filter
And I also found traceroute was dropped
It's strange !!
Regards,
Micky
----- Original Message -----
From: "james" <hackerwacker at cybermesa.com>
To: "Blaz Zupan" <blaz at inlimbo.org>; <cisco-nsp at puck.nether.net>
Sent: Wednesday, November 05, 2003 4:14 AM
Subject: Re: [nsp] Filter based forwarding
> Policy based routing allows one the match whatever you
> can with an extended ACL and apply a policy to it:
>
> !
> route-map nachi-worm permit 10
> match ip address 191
> match length 92 92
> set ip next-hop 192.168.1.1 (192.168.1.1 goes to null on my nets, you
could just set this statement to the null interface itself)
> !
> access-list 191 remark Nachi-worm ethernet
> access-list 191 permit icmp any any echo
> access-list 191 permit icmp any any echo-reply
> !
> CMCS_gwy#config t
> Enter configuration commands, one per line. End with CNTL/Z.
> CMCS_gwy(config)#interface FastEthernet0/0
> CMCS_gwy(config-if)#ip policy route-map nachi-worm
>
> Beware of doing the above (dropping 92 byte pings) on some 75xx series,
> as it also drops 92 byte TCP. Nasty week of debugging this, till I
discovered
> one of our providers was doing this. I tested on 7206's and we saw no
problems
> and used this policy for a while on my network (on 7200's) with no
problems.
>
> James Edwards
> Routing and Security Administrator
> jamesh at cybermesa.com
> At the Santa Fe Office: Internet at Cyber Mesa
> Store hours: 9-6 Monday through Friday
> 505-988-9200 SIP:1(747)669-1965
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list