[nsp] Filter based forwarding

micky micky at apol.com.tw
Tue Nov 4 20:57:24 EST 2003

Dear james

How do I verify this filter is working ?
I used ping with carrying different bytes in the windows,it still
worked,wasn't dropped by this filter
And I also found traceroute was dropped

It's strange !!


----- Original Message ----- 
From: "james" <hackerwacker at cybermesa.com>
To: "Blaz Zupan" <blaz at inlimbo.org>; <cisco-nsp at puck.nether.net>
Sent: Wednesday, November 05, 2003 4:14 AM
Subject: Re: [nsp] Filter based forwarding

> Policy based routing allows one the match whatever you
> can with an extended ACL and apply a policy to it:
> !
> route-map nachi-worm permit 10
>  match ip address 191
>  match length 92 92
>  set ip next-hop ( goes to null on my nets, you
could just set this statement to the null interface itself)
> !
> access-list 191 remark Nachi-worm ethernet
> access-list 191 permit icmp any any echo
> access-list 191 permit icmp any any echo-reply
> !
> CMCS_gwy#config t
> Enter configuration commands, one per line.  End with CNTL/Z.
> CMCS_gwy(config)#interface FastEthernet0/0
> CMCS_gwy(config-if)#ip policy route-map nachi-worm
> Beware of doing the above (dropping 92 byte pings) on some 75xx series,
> as it also drops 92 byte TCP. Nasty week of debugging this, till I
> one of our providers was doing this. I tested on 7206's and we saw no
> and used this policy for a while on my network (on 7200's) with no
> James Edwards
> Routing and Security Administrator
> jamesh at cybermesa.com
> At the Santa Fe Office: Internet at Cyber Mesa
> Store hours: 9-6 Monday through Friday
> 505-988-9200 SIP:1(747)669-1965
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list