[c-nsp] ACL to block udp/0?

Saunders, D'Wayne DWayne.Saunders at team.telstra.com
Tue Dec 5 16:31:42 EST 2023


Howdy on my phone so no detail but the Flow being reported will be due to fragments and not necessarily port 0
The below link has details on how to block fragments

<https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html>
Access Control Lists and IP Fragments<https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html>
cisco.com<https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html>
[favicon.ico]<https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html>

D’Wayne Saunders

On 6 Dec 2023, at 08:27, Hank Nussbacher via cisco-nsp <cisco-nsp at puck.nether.net> wrote:

[External Email] This email was sent from outside the organisation – be cautious, particularly with links and attachments.

We encountered something strange.  We run IOS-XR 7.5.2 on ASR9K platform.

Had a user under udp/0 attack.  Tried to block it via standard ACL:


ipv4 access-list block-zero
20 deny udp any any eq 0
30 deny tcp any any eq 0
40 permit ipv4 any any


Applied to interface:

ipv4 access-group block-zero ingress
ipv4 access-group block-zero egress


Yet, based on Kentik, we had no effect and the udp/0 attack just
continued - as if the Cisco ACL is totally ignored.  Or am I missing
something in the ACL listed above?


Thanks,

Hank

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list