I concur with Tyson on this... here is a sample of a configuration I ended up placing in production after lots of testing.
interface <interface you want to block on> ip policy route-map inet_block ip access-list extended inet_block permit ip <subnet address> <wildcard mask> any route-map inet_block permit 10 match ip address inet_block set interface Null0 Let me know if you have questions about my testing or configs. ~Roger On Tue, Apr 27, 2010 at 11:29 AM, Tyson Scott <[email protected]> wrote: > I have never had problems with PBR unless I have a misconfiguration ;) > Would need examples of what didn't work to know. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Tuesday, April 27, 2010 2:58 AM > *To:* Brandon Carroll > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] Clairification on backhole and > sinkhole > > > > Hi Brandon > > > > Sometimes with the PBR where I send traffic to the null interface, doesn't > get dropped. I see the counters > > increased on the ACL associated with the route-map. Any thought? > > > > Tried both globally and local on the interface. > > > > > > > > With regards > > Kings > > On Mon, Apr 26, 2010 at 8:43 PM, Brandon Carroll <[email protected]> > wrote: > > Kings, > > > > Off the top of my head if I were asked to route traffic to a Black Hole or > a Sink Hole I would think of using something along the lines of PBR setting > the next hop to null0. > > > > > > Regards, > > > > Brandon Carroll - CCIE #23837 > > Senior Technical Instructor - IPexpert > > Mailto: [email protected] > > Telephone: +1.810.326.1444 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > Platinum Solutions Group (PSG) provides high-end consulting services with a > primary emphasis on Cisco's Data Center Solutions, Service Provider > Solutions, Unified Communications and Security-enabled infrastructures. Be > sure to visit www.platinumsolutionsgroup.com. > > > > > > On Apr 26, 2010, at 12:13 AM, Kingsley Charles wrote: > > > > Hi all > > > > In the CCIE blue print, under *Configure Advanced Security,* we have the > following: > > > > 1. Configure Black Hole and Sink Hole solutions > 2. Configure RTBH filtering (Remote Triggered Black Hole) > > > > > http://www.cisco.com/web/learning/le3/ccie/security/lab_exam_blueprint_v3.html > > > > I am aware of RTBH (source based and destination based). > > > > Can someone please share your thoughts for blackhole and sinkhole with some > examples. > > > > > > With regards > > Kings > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
