Hi Tyson As per your comment, I understand that the ACL should not be configured on the router that is re-directing the packets to the null interface, right?
With regards Kings On Tue, Apr 27, 2010 at 9:05 PM, Tyson Scott <[email protected]> wrote: > Is your external facing interface configured for no ip unreachables. As > traffic locally generated by the control plane is sent immediately to the > interface for queuing you should move your ACL to one hop away. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Pieter-Jan > Nefkens > *Sent:* Tuesday, April 27, 2010 7:10 AM > *To:* Kingsley Charles > *Cc:* OSL Security > *Subject:* Re: [OSL | CCIE_Security] Accounting for attackers packet > > > > Hi Kings, > > > > To which route-map / interface do you have the access-list attached? The > outbound interface from where the attacker originates? And if so, is the > access-list attached outbound? > > > > Bear in mind, that if the null0 interface sends unreachable packets, they > will get routed normally and thus the access-list should be set on an > outbound flow. > > > > Have you read the blackhole pdf at cisco.com? > > It's available at: > http://www.cisco.com/web/about/security/intelligence/blackhole.pdf > > > > HTH > > > > Pieter-Jan > > On 27 apr 2010, at 09:03, Kingsley Charles wrote: > > > > Hi all > > > > With RTBH, if I need check for the number of packets that is from the > attacker. I configure the following: > > > > access-list 123 permit icmp any any unreachables log > > access-list 123 permit ip any any > > > > logging on > > logging host or buffered > > > > > > The null 0 interface is not configured for "no ip unreachables". > > > > > > The access-list is associated to interfaces of the edge router running > BGP that gets the incoming traffic from the attacker. > > > > But I don't see the unreachables matching the ACL. The counter is "0". > > > > Any idea? > > > > > > With regards > > Kings > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > --- > > Nefkens Advies > > Enk 26 > > 4214 DD Vuren > > The Netherlands > > > > Tel: +31 183 634730 > > Fax: +31 183 690113 > > Cell: +31 654 323221 > > Email: [email protected] > > Web: http://www.nefkensadvies.nl/ > > > Think before you print. > > > > > > >
<<image001.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
