From: christianus sandjaja (netwrangers@yahoo.com)
Date: Fri Nov 10 2006 - 03:00:19 ART
Hi
The ip local policy * will impact on traffic that match the access-list
statement others traffic that don,t match the acl statement will be forward
normally. The key is in the acl created. You can check it with debug ip
policy command. If the traffic match then it will drop into null 0 interface ,
if the traffic doesn,t match with the policy it will rejected then forward
normally.I already test this on my last lab exam attempt ,it has no impact to
others traffic.
The lab was very tricky , It told you to not using acl for
drop telnet packet, normally we using access-list and then apply access-class
command on the line vty or using normal extended access-list and then apply on
the interface , but they did not tell you that we can utilize acl+pbr to
blackhole the normal packet.
There was another similar questions , that told
you to deny DoS and Spoofing attack but don,t deny icmp statement and do not
rate-limit packet on the interface either use policy map or class-map or using
rate-limit command on the interface or uRPF command.
Thanks
chris
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:46 ART