Cisco filter question
Owen DeLong
owen at delong.com
Fri Aug 22 17:29:36 UTC 2003
Because your acl matches echo reply and the packet is echo request.
Owen
--On Friday, August 22, 2003 10:02 AM -0700 Michel Py
<michel at arneill-py.sacramento.ca.us> wrote:
>
> Instead of:
>> set interface Null0
>
> Use: set ip next-hop 10.255.255.254
>
> _and_
> ip route 10.255.255.254 255.255.255.255 Null0 name BLACKHOLE
>
> Michel.
>
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
> Geo. Sent: Friday, August 22, 2003 9:17 AM
> To: nanog at merit.edu
> Subject: Cisco filter question
>
>
> Perhaps one of you router experts can answer this question. When using
> the cisco specified filter
>
> access-list 199 permit icmp any any echo
> access-list 199 permit icmp any any echo-reply
>
> route-map nachi-worm permit 10
> ! --- match ICMP echo requests and replies (type 0 & 8)
> match ip address 199
>
> ! --- match 92 bytes sized packets
> match length 92 92
>
> ! --- drop the packet
> set interface Null0
>
>
> interface <incoming-interface>
> ! --- it is recommended to disable unreachables
> no ip unreachables
>
> ! --- if not using CEF, enabling ip route-cache flow is recommended
> ip route-cache policy
>
> ! --- apply Policy Based Routing to the interface
> ip policy route-map nachi-worm
>
> why would it not stop this packet
>
> 15 1203.125000 0003E3956600 AMERIC6625D4 ICMP Echo: From 216.144.20.69 To
> 216.144.00.27 216.144.20.69 216.144.0.27 IP FRAME: Base frame properties
> FRAME: Time of capture = 8/22/2003 11:54:16.859
> FRAME: Time delta from previous physical frame: 0 microseconds
> FRAME: Frame number: 15
> FRAME: Total frame length: 106 bytes
> FRAME: Capture frame length: 106 bytes
> FRAME: Frame data: Number of data bytes remaining = 106 (0x006A)
> ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
> ETHERNET: Destination address : 00C0B76625D4
> ETHERNET: .......0 = Individual address
> ETHERNET: ......0. = Universally administered address
> ETHERNET: Source address : 0003E3956600
> ETHERNET: .......0 = No routing information present
> ETHERNET: ......0. = Universally administered address
> ETHERNET: Frame Length : 106 (0x006A)
> ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
> ETHERNET: Ethernet Data: Number of data bytes remaining = 92 (0x005C)
> IP: ID = 0x848; Proto = ICMP; Len: 92
> IP: Version = 4 (0x4)
> IP: Header Length = 20 (0x14)
> IP: Precedence = Routine
> IP: Type of Service = Normal Service
> IP: Total Length = 92 (0x5C)
> IP: Identification = 2120 (0x848)
> IP: Flags Summary = 0 (0x0)
> IP: .......0 = Last fragment in datagram
> IP: ......0. = May fragment datagram if necessary
> IP: Fragment Offset = 0 (0x0) bytes
> IP: Time to Live = 124 (0x7C)
> IP: Protocol = ICMP - Internet Control Message
> IP: Checksum = 0x70D8
> IP: Source Address = 216.144.20.69
> IP: Destination Address = 216.144.0.27
> IP: Data: Number of data bytes remaining = 72 (0x0048)
> ICMP: Echo: From 216.144.20.69 To 216.144.00.27
> ICMP: Packet Type = Echo
> ICMP: Echo Code = 0 (0x0)
> ICMP: Checksum = 0x82AA
> ICMP: Identifier = 512 (0x200)
> ICMP: Sequence Number = 7680 (0x1E00)
> ICMP: Data: Number of data bytes remaining = 64 (0x0040)
> 00000: 00 C0 B7 66 25 D4 00 03 E3 95 66 00 08 00 45 00 .À·f%Ô..ã*f...E.
> 00010: 00 5C 08 48 00 00 7C 01 70 D8 D8 90 14 45 D8 90 .\.H..|.pØØ?.EØ?
> 00020: 00 1B 08 00 82 AA 02 00 1E 00 AA AA AA AA AA AA ....'ª....ªªªªªª
> 00030: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ªªªªªªªªªªªªªªªª
> 00040: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ªªªªªªªªªªªªªªªª
> 00050: AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA ªªªªªªªªªªªªªªªª
> 00060: AA AA AA AA AA AA AA AA AA AA ªªªªªªªªªª
>
>
More information about the NANOG
mailing list