Hi, On Tue, Jun 26, 2012 at 05:17:22PM -0700, Mike wrote: > Actually I do have urpf for exactly the reason you stated, but thanks. I [..] > based on a dynamic set... it's possible to null route bad destinations, > but can a routing table be used to say 'drop all packets from these > prefixes'?
In combination with uRPF, yes. If the route points elsewhere, and uRPF
is active on the interface where the packets are coming in, uRPF will
drop the packet.
Now, on your upstream interfaces, blindly enabling uRPF is going to
hurt, as asymmetry there is likely and uRPF will then drop legitimate
packets - so you need to use "ip verify unicast source reachable-via any",
and "filter these prefixes!" prefixes must be routed to "null0" for
this to be effective.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany [email protected]
fax: +49-89-35655025 [email protected]
pgpbfgqhL6s39.pgp
Description: PGP signature
_______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
