[f-nsp] rACLs on CER
Robert Hass
robhass at gmail.com
Tue Apr 5 17:16:41 EDT 2011
Hi
I'm currently testing Receive ACLs to protect my router against DDoS
attacks. I configured simple ICMP Receive ACL where ICMP should be accepted
only from MGMT Subnet 192.168.0.0/24. ICMP from other IP addresses should
be denied.
My configration:
interface ethernet 1/8
port-name TRAFFIC.GENERATOR
enable
load-interval 30
route-only
ip address 10.0.0.1/30
no ip redirect
no flow-control
!
ip receive access-list 115 sequence 1
!
access-list 115 permit icmp 192.168.0.0 0.0.0.255 any
access-list 115 deny icmp any any
I connected Linux box for testing rACLs - after implementation it looks like
rACLs works just fine: ICMP is only allowed from 192.168.0.0/24, from IP
10.0.0.2 I cannot ping CER.
I started generatng ICMP traffic from 10.0.0.2 going to host 10.0.0.1 (CER)
which was about 400kpps. During ICMP flood I cannot ping/telnet CER from my
MGMT segment (192.168.0.0/24, which is also connected to different GE port
ethe 1/2).
What I configured wrong ? Is it normal ?
Robert
More information about the foundry-nsp
mailing list