On Wed, Apr 28, 2010 at 9:26 AM, Kingsley Charles < [email protected]> wrote:
> Yes Tyson, the end device is getting "U"s. > > With regards > Kings > > On Tue, Apr 27, 2010 at 11:28 PM, Tyson Scott <[email protected]>wrote: > >> correct, >> >> >> >> Move it one hop away. Is the end device receiving the unreachables? You >> would know based on a U in the ping output. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> *From:* Kingsley Charles [mailto:[email protected]] >> *Sent:* Tuesday, April 27, 2010 1:40 PM >> *To:* Tyson Scott >> *Cc:* Pieter-Jan Nefkens; OSL Security >> >> *Subject:* Re: [OSL | CCIE_Security] Accounting for attackers packet >> >> >> >> Hi Tyson >> >> >> >> As per your comment, I understand that the ACL should not be configured on >> the router that is re-directing the packets to the null interface, right? >> >> >> >> With regards >> >> Kings >> >> On Tue, Apr 27, 2010 at 9:05 PM, Tyson Scott <[email protected]> wrote: >> >> Is your external facing interface configured for no ip unreachables. As >> traffic locally generated by the control plane is sent immediately to the >> interface for queuing you should move your ACL to one hop away. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Pieter-Jan >> Nefkens >> *Sent:* Tuesday, April 27, 2010 7:10 AM >> *To:* Kingsley Charles >> *Cc:* OSL Security >> *Subject:* Re: [OSL | CCIE_Security] Accounting for attackers packet >> >> >> >> Hi Kings, >> >> >> >> To which route-map / interface do you have the access-list attached? The >> outbound interface from where the attacker originates? And if so, is the >> access-list attached outbound? >> >> >> >> Bear in mind, that if the null0 interface sends unreachable packets, they >> will get routed normally and thus the access-list should be set on an >> outbound flow. >> >> >> >> Have you read the blackhole pdf at cisco.com? >> >> It's available at: >> http://www.cisco.com/web/about/security/intelligence/blackhole.pdf >> >> >> >> HTH >> >> >> >> Pieter-Jan >> >> On 27 apr 2010, at 09:03, Kingsley Charles wrote: >> >> >> >> Hi all >> >> >> >> With RTBH, if I need check for the number of packets that is from the >> attacker. I configure the following: >> >> >> >> access-list 123 permit icmp any any unreachables log >> >> access-list 123 permit ip any any >> >> >> >> logging on >> >> logging host or buffered >> >> >> >> >> >> The null 0 interface is not configured for "no ip unreachables". >> >> >> >> >> >> The access-list is associated to interfaces of the edge router running >> BGP that gets the incoming traffic from the attacker. >> >> >> >> But I don't see the unreachables matching the ACL. The counter is "0". >> >> >> >> Any idea? >> >> >> >> >> >> With regards >> >> Kings >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >> >> --- >> >> Nefkens Advies >> >> Enk 26 >> >> 4214 DD Vuren >> >> The Netherlands >> >> >> >> Tel: +31 183 634730 >> >> Fax: +31 183 690113 >> >> Cell: +31 654 323221 >> >> Email: [email protected] >> >> Web: http://www.nefkensadvies.nl/ >> >> >> Think before you print. >> >> >> >> >> >> >> >> >> > >
<<image001.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
