On Wed, Aug 13, 1997 at 06:46:55PM +0100, Lyndon Levesley said:
[...]
Aug 13 18:43:59 permitted icmp 149.112.125.54 -> 192.41.177.255 (8/0), 8722 packets
8/0 is 'echo request', according to trusty old /usr/include/net_inet/ip_icmp.h (Solaris 2.5.1)
[ some others snipped out ]
Now if only Cisco's let you obtain a "src_hardware_addr" :(
doesn't the 'log-input' keyword log the input interface? at the end of the access-list rule. or, copy the access-list to another access-list number, and use different access-list numbers on different interfaces. (if you don't need the input interface at all, but the source host, then some type of packet sniffing is the only way to go.. sorry I can't help..) And here's something that I wrote up, it's an idea to stop the flood... " Policy routing is fast switched in the right IOS revs (I think starting at 11.2(6)F). Your config would look something like this: ! access-list 101 permit icmp any any echo-reply ! route-map KILLICMP permit 10 match ip-address 101 set interface Null0 ! ! interface hssi 5/1/0 ip policy route-map KILLICMP ip route-cache policy ! " Since denying on an ACL is process switched, and kills your router, the goal is to make your router fast-switch the packet to /dev/null... aka Null0. Thanks to Barry Raveendran Greene <bgreene@cisco.com> for this one. I don't know for sure if it works, as I haven't had a chance to try it, but if it does, let me know...