Re: Egress filters dropping traffic

2013-07-01 Thread Saku Ytti 
On (2013-06-30 22:04 +0530), Glen Kent wrote:

 Under what scenarios do providers install egress ACLs which could say for
 eg.
 
 1. Allow all IP traffic out on an interface foo if its coming from source
 IP x.x.x.x/y
 2. Drop all other IP traffic out on this interface.

Question seems to be 'when do you need to drop packets', I'm sure 10
different people would give 10 different use-cases.

One use-case for this particular ACL is that the interface is used for MGMT
only, so you allow NMS network and drop everything else.

-- 
  ++ytti

Egress filters dropping traffic

2013-06-30 Thread Glen Kent 
Hi,

Under what scenarios do providers install egress ACLs which could say for
eg.

1. Allow all IP traffic out on an interface foo if its coming from source
IP x.x.x.x/y
2. Drop all other IP traffic out on this interface.

Glen

Re: Egress filters dropping traffic

2013-06-30 Thread Peter Ehiwe 
I usually do ingress acl on CE facing PE interfaces , that way I can provide 
one level of anti spoofing on IPs I control . I've not had the need for an 
egress ACL yet but then again I think it depends on network design and habits 
from Day 1.

One use case though may be to mitigate DDOS attack on a customer facing  link.

Sent from my iPhone

On Jun 30, 2013, at 5:34 PM, Glen Kent glen.k...@gmail.com wrote:

 Hi,
 
 Under what scenarios do providers install egress ACLs which could say for
 eg.
 
 1. Allow all IP traffic out on an interface foo if its coming from source
 IP x.x.x.x/y
 2. Drop all other IP traffic out on this interface.
 
 Glen

Re: Egress filters dropping traffic

2013-06-30 Thread Jeff Kell 
On 6/30/2013 12:34 PM, Glen Kent wrote:
 Under what scenarios do providers install egress ACLs which could say for
 eg.

 1. Allow all IP traffic out on an interface foo if its coming from source
 IP x.x.x.x/y
 2. Drop all other IP traffic out on this interface.

If you're an end node, it's BCP to block ingress from your own IP space,
and block egress NOT from your IP space.

If you're doing transit, it gets more complicated.

Jeff

Re: Egress filters dropping traffic

2013-06-30 Thread alejandroacostaalamo 
I guess maybe you want to be sure a certain process occurred in the router (ej 
NAT). 

 
--Original Message--
From: Glen Kent
To: nanog@nanog.org
Subject: Egress filters dropping traffic
Sent: Jun 30, 2013 12:04 PM

Hi,

Under what scenarios do providers install egress ACLs which could say for
eg.

1. Allow all IP traffic out on an interface foo if its coming from source
IP x.x.x.x/y
2. Drop all other IP traffic out on this interface.

Glen


Este mensaje ha sido enviado gracias al servicio BlackBerry de Movilnet