[c-nsp] ip access list rfc1918 help please
Gert Doering
gert at greenie.muc.de
Wed Jun 27 03:31:06 EDT 2012
Hi,
On Tue, Jun 26, 2012 at 05:17:22PM -0700, Mike wrote:
> Actually I do have urpf for exactly the reason you stated, but thanks. I
[..]
> based on a dynamic set... it's possible to null route bad destinations,
> but can a routing table be used to say 'drop all packets from these
> prefixes'?
In combination with uRPF, yes. If the route points elsewhere, and uRPF
is active on the interface where the packets are coming in, uRPF will
drop the packet.
Now, on your upstream interfaces, blindly enabling uRPF is going to
hurt, as asymmetry there is likely and uRPF will then drop legitimate
packets - so you need to use "ip verify unicast source reachable-via any",
and "filter these prefixes!" prefixes must be routed to "null0" for
this to be effective.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20120627/494b440b/attachment.sig>
More information about the cisco-nsp
mailing list