[c-nsp] Shunning Traffic on ASA's
Roland Dobbins
rdobbins at cisco.com
Mon Feb 11 10:17:27 EST 2008
On Feb 11, 2008, at 10:05 PM, Christian Koch wrote:
> would using "shun" suffice until, i can deploy RTBH as
> every site, or would it impose unneeded complication
You'll have to determine that - I'd suggest doing everything possible
to get S/RTBH (source-based, not just destination-based) deployed, as
you really want to drop traffic *before* it hits the firewalls). You
can use manual shunning as you like, of course, it's just generally
more expensive to drop on a firewall or other specialized device than
on an edge router. And as Jeff indicates, it's only source-based
(i.e, no destination-based option if that's your goal), and in earlier
versions of the software, it didn't clear existing connections.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // +66.83.266.6344 mobile
If you don't know what to do, it's harder to do it.
-- Malcom Forbes
More information about the cisco-nsp
mailing list