[c-nsp] Tracking down spoofed source IPs in DMVPN (GRE multipoint) environments

Dale Shaw dale.shaw+cisco-nsp at gmail.com
Mon Feb 18 22:56:18 EST 2008


Hi all,

Today I had to track down a Windows PC with a 169.254.x IP that was
sending some annoying directed broadcast packets around my network.

Yes, uRPF would take care of this, and that's what I've used to drop
any such traffic in the future.

I was using NetFlow and CEF to trace the source, hop by hop, but I
eventually came to a DMVPN hub router where this method came unstuck.
The NetFlow cache reveals the interface the packet was received on,
but it's a multipoint GRE tunnel interface with a whole bunch of
adjacent routers, each with their own stub networks.

I gave in and scripted a "sh ip cache flow | i 169.254" command to run
on each of the downstream spoke routers when a broadcast packet was
seen upstream, and this worked, but I was wondering if there was a
better way.

So, is there a better way?

cheers,
Dale


More information about the cisco-nsp mailing list