[nsp] Filter based forwarding

Sam Stickland sam_ml at spacething.org
Wed Nov 5 06:24:37 EST 2003 

Did you try from the router, or an attached machine?

Locally generated packets on the router won't be policy routed unless you
specify

ip local policy nachi-worm

----- Original Message -----
From: "micky" <micky at apol.com.tw>
To: "james" <hackerwacker at cybermesa.com>; "Blaz Zupan" <blaz at inlimbo.org>;
<cisco-nsp at puck.nether.net>
Sent: Wednesday, November 05, 2003 1:57 AM
Subject: Re: [nsp] Filter based forwarding


> Dear james
>
> How do I verify this filter is working ?
> I used ping with carrying different bytes in the windows,it still
> worked,wasn't dropped by this filter
> And I also found traceroute was dropped
>
>
> It's strange !!
>
>
> Regards,
> Micky
>
> ----- Original Message -----
> From: "james" <hackerwacker at cybermesa.com>
> To: "Blaz Zupan" <blaz at inlimbo.org>; <cisco-nsp at puck.nether.net>
> Sent: Wednesday, November 05, 2003 4:14 AM
> Subject: Re: [nsp] Filter based forwarding
>
>
> > Policy based routing allows one the match whatever you
> > can with an extended ACL and apply a policy to it:
> >
> > !
> > route-map nachi-worm permit 10
> >  match ip address 191
> >  match length 92 92
> >  set ip next-hop 192.168.1.1 (192.168.1.1 goes to null on my nets, you
> could just set this statement to the null interface itself)
> > !
> > access-list 191 remark Nachi-worm ethernet
> > access-list 191 permit icmp any any echo
> > access-list 191 permit icmp any any echo-reply
> > !
> > CMCS_gwy#config t
> > Enter configuration commands, one per line.  End with CNTL/Z.
> > CMCS_gwy(config)#interface FastEthernet0/0
> > CMCS_gwy(config-if)#ip policy route-map nachi-worm
> >
> > Beware of doing the above (dropping 92 byte pings) on some 75xx series,
> > as it also drops 92 byte TCP. Nasty week of debugging this, till I
> discovered
> > one of our providers was doing this. I tested on 7206's and we saw no
> problems
> > and used this policy for a while on my network (on 7200's) with no
> problems.
> >
> > James Edwards
> > Routing and Security Administrator
> > jamesh at cybermesa.com
> > At the Santa Fe Office: Internet at Cyber Mesa
> > Store hours: 9-6 Monday through Friday
> > 505-988-9200 SIP:1(747)669-1965
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list