Who does source address validation? (was Re: what's that smel l?)

• Previous message (by thread): Who does source address validation? (was Re: what's that smel l?)
• Next message (by thread): Who does source address validation? (was Re: what's that smell?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 10:43 PM 09-10-02 -0700, Steve Francis wrote:

>Valdis.Kletnieks at vt.edu wrote:
>>My personal pet peeve is the opposite - we'll try to use pMTU, some
>>provider
>>along the way sees fit to run it through a tunnel, so the MTU there is
>>1460
>>instead of 1500 - and the chuckleheads number the tunnel endpoints out
>>of
>>1918 space - so the 'ICMP Frag Needed' gets tossed at our border
>>routers,
>>because we do both ingress and egress filtering.
>That's not terribly hard to overcome - allow icmp unreachables (from any 
>source) in your acl,  then deny all traffic from RFC 1918 addresses, then 
>the rest of the ACL.
>
>Combined with CAR (or CatOS QoS rate limiting) on icmp's, you end up with 
>all the functionality, and almost none of the bogus traffic.

CAR should not be used to rate-limit but instead use the MQC police command
which basically does the same thing. CAR is not going to be around much 
longer and is not being developed anymore:

Have a look at:
http://www.cisco.com/warp/public/105/cbpcar.html
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt8/qcfmcli2.htm
for more information.

-Hank

• Previous message (by thread): Who does source address validation? (was Re: what's that smel l?)
• Next message (by thread): Who does source address validation? (was Re: what's that smell?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]