You guys correct me if I'm wrong, but I understand that loopback12 is the victm host and destination RTBH is needed to accomplish this requirement. My understanding is that 150.140.130.120 is used just for test purpose and it is not categorized as the unique source of the attack, in that case source based would best suit and RPF loose would be part of the solution.
As for the workbook solution you mentioned (RPF on R7), this is in response for the first requirement where spoofed traffic is to be avoided, not related to RTBH requirement underneath. Regards Andre Vasquez On Mon, Nov 23, 2009 at 10:32 AM, kevin gannon <[email protected]> wrote: > I have a question on this task and the supplied solution. The part of the > question that puzzles me is > > "Configure R1 to single black holing for its Loopback 12 interface. Use > ping to 150.140.130.120 to > verify this." > > The solution in the workbook only has unicast RPF checking enabled on the > interface towards the > BB1 on R7 where 150.140.130.120 is based. This is in answer to the first > part of 5.2 > > interface FastEthernet0/0.1107 > encapsulation dot1Q 1107 > ip address 11.11.7.7 255.255.255.0 > ip verify unicast source reachable-via rx allow-default > ip policy route-map Force-TE > > However the RPF checking is not enabled on the interfaces which receive the > traffic from R1. So > a packet from L12 to 150.140.130.120 will leave to BB1 however the return > traffic will be dropped > due to the Null route. I do not think this is how you would want > blackholing to work. > > I do not think this is correct, should loose RPF checking on both inbound > interfaces connecting > R7 to R6 and R8 ? I say loose RPF checking as TE in a later question forces > traffic inward over a non RPF > interface yet there is still an route to the source. > > Thanks and regards > Kevin > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
