[f-nsp] rACLs on CER

Robert Hass robhass at gmail.com
Tue Apr 5 17:16:41 EDT 2011


Hi

I'm currently testing Receive ACLs to protect my router against DDoS
attacks.  I configured simple ICMP Receive ACL where ICMP should be accepted
only from MGMT Subnet 192.168.0.0/24.  ICMP from other IP addresses should
be denied.

My configration:

interface ethernet 1/8
 port-name TRAFFIC.GENERATOR
 enable
 load-interval 30
 route-only
 ip address 10.0.0.1/30
 no ip redirect
 no flow-control
!
ip receive access-list 115 sequence 1
!
access-list 115 permit icmp 192.168.0.0 0.0.0.255 any
access-list 115 deny icmp any any

I connected Linux box for testing rACLs - after implementation it looks like
rACLs works just fine: ICMP is only allowed from 192.168.0.0/24, from IP
10.0.0.2 I cannot ping CER.

I started generatng ICMP traffic from 10.0.0.2 going to host 10.0.0.1 (CER)
which was about 400kpps.  During ICMP flood I cannot ping/telnet CER from my
MGMT segment (192.168.0.0/24, which is also connected to different GE port
ethe 1/2).

What I configured wrong ? Is it normal ?

Robert



More information about the foundry-nsp mailing list