[c-nsp] Shunning Traffic on ASA's

Roland Dobbins rdobbins at cisco.com
Mon Feb 11 10:17:27 EST 2008


On Feb 11, 2008, at 10:05 PM, Christian Koch wrote:

> would using "shun" suffice until, i can deploy RTBH as
> every site, or would it impose unneeded complication

You'll have to determine that - I'd suggest doing everything possible  
to get S/RTBH (source-based, not just destination-based) deployed, as  
you really want to drop traffic *before* it hits the firewalls).  You  
can use manual shunning as you like, of course, it's just generally  
more expensive to drop on a firewall or other specialized device than  
on an edge router.  And as Jeff indicates, it's only source-based  
(i.e, no destination-based option if that's your goal), and in earlier  
versions of the software, it didn't clear existing connections.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at cisco.com> // +66.83.266.6344 mobile

      If you don't know what to do, it's harder to do it.

                    -- Malcom Forbes





More information about the cisco-nsp mailing list