servers, one for the outside world and one for our customers only. The public server will be connected via a T1 to a smurf tracing friendly transit provider for external connectivity. This T1 will be used for this
OK, tell me where this falls down. Set up two IP addresses for your IRC server on the same machine. On the router upstream from the machine, allow only your customers to connect to one IP address, and anyone else to connect to the other IP. Now go to your border routers, enable CEF and configure something like: ! impose limits access-list 100 permit ip any host public-irc.my.net access-list 100 permit ip any host public-irc.my.net access-list 101 deny ip any host private-irc.my.net ! i/f config for borders interface myinterface ip access-group 101 in rate-limit input access-group 102 512000 512000 512000 conform-action transmit exceed-action drop Effectively this means that if your public IP gets smurfed, it's b/w usage internally on your network is limited. If your private IP gets smurfed, it all gets dropped (thinking about it if you made exceptions for IRC peering you could do the whole thing on one IP if your customers never use border router i/fs). If you are paying per bit, you'll still pay for smurfs, but they'll have to be 45Mb/s in size to cause any real damage. You'll probably find BGP flapping up and down as your T1 saturates is more of a problem. -- Alex Bligh GX Networks (formerly Xara Networks)