Is your external facing interface configured for no ip unreachables. As traffic locally generated by the control plane is sent immediately to the interface for queuing you should move your ACL to one hop away.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Pieter-Jan Nefkens Sent: Tuesday, April 27, 2010 7:10 AM To: Kingsley Charles Cc: OSL Security Subject: Re: [OSL | CCIE_Security] Accounting for attackers packet Hi Kings, To which route-map / interface do you have the access-list attached? The outbound interface from where the attacker originates? And if so, is the access-list attached outbound? Bear in mind, that if the null0 interface sends unreachable packets, they will get routed normally and thus the access-list should be set on an outbound flow. Have you read the blackhole pdf at cisco.com? It's available at: http://www.cisco.com/web/about/security/intelligence/blackhole.pdf HTH Pieter-Jan On 27 apr 2010, at 09:03, Kingsley Charles wrote: Hi all With RTBH, if I need check for the number of packets that is from the attacker. I configure the following: access-list 123 permit icmp any any unreachables log access-list 123 permit ip any any logging on logging host or buffered The null 0 interface is not configured for "no ip unreachables". The access-list is associated to interfaces of the edge router running BGP that gets the incoming traffic from the attacker. But I don't see the unreachables matching the ACL. The counter is "0". Any idea? With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com --- Nefkens Advies Enk 26 4214 DD Vuren The Netherlands Tel: +31 183 634730 Fax: +31 183 690113 Cell: +31 654 323221 Email: [email protected] Web: http://www.nefkensadvies.nl/ Think before you print.
<<image001.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
