[c-nsp] Dropping traffic based on source address

David J. Hughes bambi at Hughes.com.au
Fri Jul 1 00:14:40 EDT 2005


Why not set the next-hop of the prefixes to an IP that you static route 
to Null0 on all your borders.  Using Zebra / Quagga for example you can 
inject into iBGP with a pre-set next-hop.


David
...

On 01/07/2005, at 12:17 PM, Brad Gould wrote:

> Hi!
>
> We have a (large) list of spamming evil hosts/networks we would like
> block from our mail servers. (~500k entries)
>
> The list is being imported into the routing table via bgp, and we can
> drop the return path traffic, using PBR.  But the initial syn traffic 
> is
> getting through to the servers.
>
> I'd like to drop the inbound traffic, based on its source address, but 
> I
> cant construct a sensible ACL - there are too many entries (around 
> 500k).
>
> But can I match based on known routes in the routing table, and apply
> that on the way into the network?



More information about the cisco-nsp mailing list