nanog mailing list archives

Re: Cisco filter question


From: "Paul A. Bradford" <paul.bradford () adelphia com>
Date: 22 Aug 2003 13:09:23 -0400


Geo,
   OK Time for me to get coffee....  I missed the "not stop".

it might not stop a packet if the route-map isn't applied to the
interface.....

Pablo

On Fri, 2003-08-22 at 12:58, Paul A. Bradford wrote:
Geo,
   Not sure if I want to answer. is this OT for NANOG?  :)

   the key is:

IP: Total Length = 92 (0x5C)

normal ICMP packets are not 92 bytes in length.... our friend Nachi does
use 92 byte packets.

BTW: good luck trying the route-map on 2948G-L3s...  ;)

Thanks,
Paul


On Fri, 2003-08-22 at 12:55, Jack Bates wrote:
Scott McGrath wrote:


Geo,

Look at your set interface Null0 command the rest is correct
you want to set the next hop to be Null0.  How to do this is left as an 
exercise for the reader.


Interface Null0 works fine. Here's a quick check.

Inbound (from peers) policy matches
route-map nachi-worm, permit, sequence 10
   Match clauses:
     ip address (access-lists): 199
     length 92 92
   Set clauses:
     interface Null0
   Policy routing matches: 10921 packets, 1048416 bytes

Outbound (to internal network) accesslist matches
Extended IP access list 181
     deny tcp any any eq 135 (1994 matches)
     permit icmp any any echo (757 matches)
     permit icmp any any echo-reply (381 matches)
     permit ip any any (381370 matches)

I cleared 181 first, then cleared route-map counters. I then checked 
route-map counters first before checking access-list counters. This 
means the access-list has more time to accrue maches yet it is 
considerably smaller. The checks were a matter of seconds. I'd say the 
policy is working. The echo/echo-reply could easily be everyday pings 
which are up abit due to various networks having performance issues.

IOS Versioning can sometimes have issues. There's also the question of 
if the packet came in the inbound interface that had the policy applied.

-Jack
-- 
Paul A Bradford
Senior Network Engineer
Adelphia Cable Communications
814-274-1353



Current thread: