We're doing something similar using route-maps and/or isg policies, with the first one being non-scalable and the second one having awkward config.
-- Tassos Mike wrote on 11/12/2012 21:19: > Hi, > > I tried asking this question another way and don't think I made it clear > what or why > it was needed. > > I am an ISP and I have been seeing a customer IP address being targeted > for a DDoS > which appears to be an dns amplification attack. I checked the ip's of the > servers > sending packets and they all appear to be legitimate recusive resolvers that > unfortunately don't limit queries to their own customer networks. On my side, > I would > like to impose a rule for this single customer that no dns traffic - other > than from my > own resolvers - is forwarded between this customer and the network. The > customer is > terminated with PPPoE on a 7201 and they have radius profile entry that > includes > 'Filter-Id' which contains a basic home user filter to deny crap traffic such > as rfc1918 > and such. I would like to be able to add an additional filter on top of this > which > includes deny all port 53 except to/from my servers. I don't want to > cut/paste and > create a new access list for this customer, I just want to be able to add some > additional rules on top of the default filter set. Surely there has to be a > way to do this? > > Mike- > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
