[nsp] Filter based forwarding

=?BIG5?B?rg==?=]=?BIG5?B?uHGp+g==?= micky at apol.com.tw
Wed Nov 5 09:34:24 EST 2003


yes,it indeed worked 
I just wondered how to tell nachi and normal icmp packet 


Micky 

--
¨È¤Ó½u¤WªA°ÈªÑ¥÷¦³­­¤½¥q
http://www.apol.com.tw


---------- Original Message -----------
From: "Sam Stickland" <sam_ml at spacething.org>
To: "micky" <micky at apol.com.tw>, "james" <hackerwacker at cybermesa.com>, "Blaz 
Zupan" <blaz at inlimbo.org>, <cisco-nsp at puck.nether.net>
Sent: Wed, 5 Nov 2003 11:24:37 -0000
Subject: Re: [nsp] Filter based forwarding

> Did you try from the router, or an attached machine?
> 
> Locally generated packets on the router won't be policy routed 
> unless you specify
> 
> ip local policy nachi-worm
> 
> ----- Original Message -----
> From: "micky" <micky at apol.com.tw>
> To: "james" <hackerwacker at cybermesa.com>; "Blaz Zupan" <blaz at inlimbo.org>;
> <cisco-nsp at puck.nether.net>
> Sent: Wednesday, November 05, 2003 1:57 AM
> Subject: Re: [nsp] Filter based forwarding
> 
> > Dear james
> >
> > How do I verify this filter is working ?
> > I used ping with carrying different bytes in the windows,it still
> > worked,wasn't dropped by this filter
> > And I also found traceroute was dropped
> >
> >
> > It's strange !!
> >
> >
> > Regards,
> > Micky
> >
> > ----- Original Message -----
> > From: "james" <hackerwacker at cybermesa.com>
> > To: "Blaz Zupan" <blaz at inlimbo.org>; <cisco-nsp at puck.nether.net>
> > Sent: Wednesday, November 05, 2003 4:14 AM
> > Subject: Re: [nsp] Filter based forwarding
> >
> >
> > > Policy based routing allows one the match whatever you
> > > can with an extended ACL and apply a policy to it:
> > >
> > > !
> > > route-map nachi-worm permit 10
> > >  match ip address 191
> > >  match length 92 92
> > >  set ip next-hop 192.168.1.1 (192.168.1.1 goes to null on my nets, you
> > could just set this statement to the null interface itself)
> > > !
> > > access-list 191 remark Nachi-worm ethernet
> > > access-list 191 permit icmp any any echo
> > > access-list 191 permit icmp any any echo-reply
> > > !
> > > CMCS_gwy#config t
> > > Enter configuration commands, one per line.  End with CNTL/Z.
> > > CMCS_gwy(config)#interface FastEthernet0/0
> > > CMCS_gwy(config-if)#ip policy route-map nachi-worm
> > >
> > > Beware of doing the above (dropping 92 byte pings) on some 75xx series,
> > > as it also drops 92 byte TCP. Nasty week of debugging this, till I
> > discovered
> > > one of our providers was doing this. I tested on 7206's and we saw no
> > problems
> > > and used this policy for a while on my network (on 7200's) with no
> > problems.
> > >
> > > James Edwards
> > > Routing and Security Administrator
> > > jamesh at cybermesa.com
> > > At the Santa Fe Office: Internet at Cyber Mesa
> > > Store hours: 9-6 Monday through Friday
> > > 505-988-9200 SIP:1(747)669-1965
> > >
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
------- End of Original Message -------



More information about the cisco-nsp mailing list