|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SYN flood messages flooding my mailbox
> *** Resending note of 09/23/96 18:38 > Subject: Re: SYN flood messages flooding my mailbox > >Not. Every entry in the filter contains the following data: > > > [Prefix] [Prefix Length] [Bitmask] > > >where bitmask has a bit per every interfaces, so the bit if set if > >packet matching the prefix is allowed from that interface. > > How do you handle the case of an inter-exchange point, with multiple > BGP neighbors per interface? The MAE-East NAP is the worst case > (and not everyone at a NAP is a "transit AS"). > > If you tried to handle the case of an IXP, wouldn't you have to > filter based on both interface and MAC address? > -- Richard Woundy, IBM I'm starting to think that MAC-address-filtering ability would be a VERY useful addition for this sort of thing, esp. if it could be written as: access 200 deny ip any host 198.7.0.2 src-mac 0000.1111.2222 access 200 permit ip any any I think this isn't very possible given the IOS architecture; hopefully I'm wrong. Avi - - - - - - - - - - - - - - - - -
|