[c-nsp] Dual purpose of a rate-limit access-group or a route-map

Rodney Dunn rodunn at cisco.com
Thu Oct 7 17:09:55 EDT 2004 

On Fri, Oct 08, 2004 at 02:23:02AM +0530, Amol Sapkal wrote:
> Guys,
> I dunno if this qualifies for bad design, but today morning, when I
> had a DoS attack from one of my client machines I did this:
> 
> The client was rate-limited via a access-group on one of my FE
> subinterfaces. I added a deny statement at the top of this
> access-group.
>     Though the deny stmt did show me matches, I am not sure if it
> actually executed the deny, as it was not applied as an access-list on
> the interface.

It simply tells the router "Don't apply the defined rate-limit
policy to this traffic".  That traffic matching a deny will
be handled as normal transit traffic.

> 
> Now I am wondering, if this is a good way of blocking traffic and also
> implementing CAR or source based policy routing.
> 
> Like, I can even have a route-map, which can do things like setting
> next hops for a particular access-list but at the same time block
> traffic since I can put a deny statement in the access-list.

As long as you understand the correlation between the ACL's and
where you apply you can use the same ACL.  I don't recommend it
because too many people get them confused and end up kicking themselves
when they forget the same acl is used in multiple places.

> 
> Will the above 2 scenarios help in denying traffic or am I
> misunderstanding the way access-list works for a CAR/ route-map?
>

I'm not sure how you understand it but here is how it works.
Each feature:
CAR, PBR, MQC, all work independent of each other in the context
of matching on an ACL.  The only relation they have is the order
of operation and if you change the values in one feature a
downstream feature would have to match on the adjusted values.

Rodney

 
> 
> 
> -- 
> Warm Regds,
> 
> Amol Sapkal
> 
> --------------------------------------------------------------------
> An eye for an eye makes the whole world blind 
> - Mahatma Gandhi
> --------------------------------------------------------------------
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list