[c-nsp] DDoS help please
Arie Vayner (avayner)
avayner at cisco.com
Tue Dec 11 18:18:45 EST 2012
I think the easiest way would be to actually create a new ACL on the router, and then change the user's RADIUS profile to use that ACL...
Arie
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
Sent: Tuesday, December 11, 2012 12:48
To: Mike
Cc: 'Cisco-nsp'
Subject: Re: [c-nsp] DDoS help please
Hi,
On Tue, Dec 11, 2012 at 11:19:08AM -0800, Mike wrote:
> 53 except to/from my servers. I don't want to cut/paste and create a
> new access list for this customer, I just want to be able to add some
> additional rules on top of the default filter set. Surely there has to
> be a way to do this?
Not easily, as IOS only supports a single ingress and a single egress ACL per interface, and you can't "include" other ACLs.
You might trick this by using an *ingress* ACL on the LAN port of your
7201 to drop that particular traffic, or by using QoS to policy these packets down to 1kbit/s... (you can have QoS policies in addition to an egress ACL).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list