Egress filters dropping traffic
Hi, Under what scenarios do providers install egress ACLs which could say for eg. 1. Allow all IP traffic out on an interface foo if its coming from source IP x.x.x.x/y 2. Drop all other IP traffic out on this interface. Glen
I usually do ingress acl on CE facing PE interfaces , that way I can provide one level of anti spoofing on IPs "I control" . I've not had the need for an egress ACL yet but then again I think it depends on network design and habits from Day 1. One use case though may be to mitigate DDOS attack on a customer facing link. Sent from my iPhone On Jun 30, 2013, at 5:34 PM, Glen Kent <glen.kent@gmail.com> wrote:
Hi,
Under what scenarios do providers install egress ACLs which could say for eg.
1. Allow all IP traffic out on an interface foo if its coming from source IP x.x.x.x/y 2. Drop all other IP traffic out on this interface.
Glen
On 6/30/2013 12:34 PM, Glen Kent wrote:
Under what scenarios do providers install egress ACLs which could say for eg.
1. Allow all IP traffic out on an interface foo if its coming from source IP x.x.x.x/y 2. Drop all other IP traffic out on this interface.
If you're an end node, it's BCP to block ingress from your own IP space, and block egress NOT from your IP space. If you're doing transit, it gets more complicated. Jeff
On (2013-06-30 22:04 +0530), Glen Kent wrote:
Under what scenarios do providers install egress ACLs which could say for eg.
1. Allow all IP traffic out on an interface foo if its coming from source IP x.x.x.x/y 2. Drop all other IP traffic out on this interface.
Question seems to be 'when do you need to drop packets', I'm sure 10 different people would give 10 different use-cases. One use-case for this particular ACL is that the interface is used for MGMT only, so you allow NMS network and drop everything else. -- ++ytti
participants (4)
-
Glen Kent
-
Jeff Kell
-
Peter Ehiwe
-
Saku Ytti