Howdy on my phone so no detail but the Flow being reported will be due to fragments and not necessarily port 0 The below link has details on how to block fragments
<https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html> Access Control Lists and IP Fragments<https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html> cisco.com<https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html> [favicon.ico]<https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/8014-acl-wp.html> D’Wayne Saunders On 6 Dec 2023, at 08:27, Hank Nussbacher via cisco-nsp <cisco-nsp@puck.nether.net> wrote: [External Email] This email was sent from outside the organisation – be cautious, particularly with links and attachments. We encountered something strange. We run IOS-XR 7.5.2 on ASR9K platform. Had a user under udp/0 attack. Tried to block it via standard ACL: ipv4 access-list block-zero 20 deny udp any any eq 0 30 deny tcp any any eq 0 40 permit ipv4 any any Applied to interface: ipv4 access-group block-zero ingress ipv4 access-group block-zero egress Yet, based on Kentik, we had no effect and the udp/0 attack just continued - as if the Cisco ACL is totally ignored. Or am I missing something in the ACL listed above? Thanks, Hank _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/