Now it makes sense thanks alot. If I think of R1 as a client it would hardly single itself as being a source of an attack.
Regards Kevin 2009/11/23 André Luiz Bernardes <[email protected]> > You guys correct me if I'm wrong, but I understand that loopback12 is the > victm host and destination RTBH is needed to accomplish this requirement. My > understanding is that 150.140.130.120 is used just for test purpose and it > is not categorized as the unique source of the attack, in that case source > based would best suit and RPF loose would be part of the solution. > > > > As for the workbook solution you mentioned (RPF on R7), this is in response > for the first requirement where spoofed traffic is to be avoided, not > related to RTBH requirement underneath. > > Regards > > Andre Vasquez > > On Mon, Nov 23, 2009 at 10:32 AM, kevin gannon <[email protected]>wrote: > >> I have a question on this task and the supplied solution. The part of >> the question that puzzles me is >> >> "Configure R1 to single black holing for its Loopback 12 interface. Use >> ping to 150.140.130.120 to >> verify this." >> >> The solution in the workbook only has unicast RPF checking enabled on the >> interface towards the >> BB1 on R7 where 150.140.130.120 is based. This is in answer to the first >> part of 5.2 >> >> interface FastEthernet0/0.1107 >> encapsulation dot1Q 1107 >> ip address 11.11.7.7 255.255.255.0 >> ip verify unicast source reachable-via rx allow-default >> ip policy route-map Force-TE >> >> However the RPF checking is not enabled on the interfaces which receive >> the traffic from R1. So >> a packet from L12 to 150.140.130.120 will leave to BB1 however the return >> traffic will be dropped >> due to the Null route. I do not think this is how you would want >> blackholing to work. >> >> I do not think this is correct, should loose RPF checking on both inbound >> interfaces connecting >> R7 to R6 and R8 ? I say loose RPF checking as TE in a later question >> forces traffic inward over a non RPF >> interface yet there is still an route to the source. >> >> Thanks and regards >> Kevin >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
