Thx Tyson/Roger, I will post the configs when I hit the issue again. With regards Kings
On Tue, Apr 27, 2010 at 9:17 PM, Roger Cheeks <[email protected]>wrote: > I concur with Tyson on this... here is a sample of a configuration I ended > up placing in production after lots of testing. > > interface <interface you want to block on> > ip policy route-map inet_block > > ip access-list extended inet_block > permit ip <subnet address> <wildcard mask> any > > route-map inet_block permit 10 > match ip address inet_block > set interface Null0 > > Let me know if you have questions about my testing or configs. > > ~Roger > > On Tue, Apr 27, 2010 at 11:29 AM, Tyson Scott <[email protected]> wrote: > >> I have never had problems with PBR unless I have a misconfiguration ;) >> Would need examples of what didn't work to know. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Kingsley >> Charles >> *Sent:* Tuesday, April 27, 2010 2:58 AM >> *To:* Brandon Carroll >> *Cc:* [email protected] >> *Subject:* Re: [OSL | CCIE_Security] Clairification on backhole and >> sinkhole >> >> >> >> Hi Brandon >> >> >> >> Sometimes with the PBR where I send traffic to the null interface, doesn't >> get dropped. I see the counters >> >> increased on the ACL associated with the route-map. Any thought? >> >> >> >> Tried both globally and local on the interface. >> >> >> >> >> >> >> >> With regards >> >> Kings >> >> On Mon, Apr 26, 2010 at 8:43 PM, Brandon Carroll <[email protected]> >> wrote: >> >> Kings, >> >> >> >> Off the top of my head if I were asked to route traffic to a Black Hole or >> a Sink Hole I would think of using something along the lines of PBR setting >> the next hop to null0. >> >> >> >> >> >> Regards, >> >> >> >> Brandon Carroll - CCIE #23837 >> >> Senior Technical Instructor - IPexpert >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> Platinum Solutions Group (PSG) provides high-end consulting services with >> a primary emphasis on Cisco's Data Center Solutions, Service Provider >> Solutions, Unified Communications and Security-enabled infrastructures. Be >> sure to visit www.platinumsolutionsgroup.com. >> >> >> >> >> >> On Apr 26, 2010, at 12:13 AM, Kingsley Charles wrote: >> >> >> >> Hi all >> >> >> >> In the CCIE blue print, under *Configure Advanced Security,* we have the >> following: >> >> >> >> 1. Configure Black Hole and Sink Hole solutions >> 2. Configure RTBH filtering (Remote Triggered Black Hole) >> >> >> >> >> http://www.cisco.com/web/learning/le3/ccie/security/lab_exam_blueprint_v3.html >> >> >> >> I am aware of RTBH (source based and destination based). >> >> >> >> Can someone please share your thoughts for blackhole and sinkhole with >> some examples. >> >> >> >> >> >> With regards >> >> Kings >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
