Finding asymmetric path

Brielle Bruns bruns at 2mbit.com
Sat Nov 28 15:02:23 CST 2009


(Forgive the top posting, stupid blackberry can't do inline)


If the PoP is connected to a central location, reroute the affected netblock there through the appropriate equipment.  If you snag it going both ways before it hits the PoP, you should be good.


------Original Message------
From: Duane Waddle
To: nanog at nanog.org
Subject: Re: Finding asymmetric path
Sent: Nov 28, 2009 1:26 PM

On Sat, Nov 28, 2009 at 1:41 PM, Brielle Bruns <bruns at 2mbit.com> wrote:

> My partner Tammy says a PIX could probably accomplish the same task (we have some here for the corp lan stuff, including spares).

Yes, a PIX/ASA would stop this cold.  The TCP state tracking would not
allow traffic to pass unless the whole 3-way handshake was observed by
the box.  Only recently did Cisco add features to make tracking the
TCP connection state optional.
(http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf)
 The larger ASA-5580 machines can be virtualized into dozens (or more)
security contexts as needed.  I imagine it would take some effort to
figure out how to cleanly integrate such a configuration into a POP.

--D



-- 
Brielle Bruns
http://www.sosdg.org  /  http://www.ahbl.org


More information about the NANOG mailing list