[c-nsp] Dual purpose of a rate-limit access-group or a route-map

Amol Sapkal amolsapkal at gmail.com
Thu Oct 7 16:53:02 EDT 2004

I dunno if this qualifies for bad design, but today morning, when I
had a DoS attack from one of my client machines I did this:

The client was rate-limited via a access-group on one of my FE
subinterfaces. I added a deny statement at the top of this
    Though the deny stmt did show me matches, I am not sure if it
actually executed the deny, as it was not applied as an access-list on
the interface.

Now I am wondering, if this is a good way of blocking traffic and also
implementing CAR or source based policy routing.

Like, I can even have a route-map, which can do things like setting
next hops for a particular access-list but at the same time block
traffic since I can put a deny statement in the access-list.

Will the above 2 scenarios help in denying traffic or am I
misunderstanding the way access-list works for a CAR/ route-map?

Warm Regds,

Amol Sapkal

An eye for an eye makes the whole world blind 
- Mahatma Gandhi

More information about the cisco-nsp mailing list