From: Brian Dennis (brian@labforge.com)
Date: Wed Jul 09 2003 - 18:46:34 GMT-3
You ran across it on "your" lab or "a" lab?
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Robert Laidlaw
Sent: Wednesday, July 09, 2003 11:17 AM
To: ccielab@groupstudy.com
Subject: Log packets from spoofed address lab question
I came across a question on my lab that I have never encountered before
and
as such, I think that I did not get it right. However, it has led me to
dive deeper into the functionality that the question presented.
Q: You want to log spoofed icmp packets coming accross your frame cloud.
You want to be able to log them and see what is the most offensive
spoofed
ip address. You do not want to block any traffic, just log.
This was to be placed on my HUB router in a frame cloud. What made this
difficult is that it wanted to easily see what the most spoofed ip
address
was. I ended up using the unicast reverse path forwarding interface
commands but I still do not now if this is the "Correct" way to do this.
The other thing that I did not like is that when using this setup, you
use
an acl to determine what happens to "bad" packets, but even if you put
the
logging command in your acl, it doesn't show up in the log until you do
a
clear access-list xxx . Is there another way of accomplishing this or
is
this the way to go?
Any suggestions / comments are greatly appreciated.
Rob Laidlaw
laidlaw(at)consecro(dot)com
This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:33 GMT-3