On Thu, 27 Jul 2000, Johnson, Carl wrote:
> Talking with Cisco, they say that the PIX is simply being overloaded
> by these fragments and there's nothing that can be done on the PIX. It
> has to be blocked upstream. What I'm trying to determine is:
>
> 1. If this is correct.
Grab fragrouter and test with the same traffic volume you're seeing in
production.
> 2. How to block it upstream on a Cisco router on a basis other than
> source IP.
I thought I'd seen an announcement that Cisco's finally added frag
dropping support to IOS, but I could have sworn that FO=0 frags were
already dropped or droppable by them. You could probably also drop the
frags with IPFilter, but the volume of frags could be eating your
bandwidth. Your upstream should be able to assist with tracing back to
the originator.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
