We could ask Cisco and Juniper to add a way of 'artificially' remove networks from the CEF table (with an ACL or so). That way, even with loose-RPF, the packet will be dropped based on source-address at the ingress without consuming CPU. Or maybe such a feature already exist André
At 09:06 25.03.2003 -0500, Christian Liendo wrote: >Looking for advice. > >I am sorry if this was discussed before, but I cannot seem to find this. >I want to use source routing as a way to stop a DoS rather than use access-lists. > >In other words, lets say I know the source IP (range of IPs) of an attack and they do >not change. > >If the destination stays the same I can easily null route the destination, but what >if the destination constantly changes. So I have to work based on the source IP. > >Depending on the router and the code, if I implement an access-list then the CPU >utilization shoots through the roof. >What I would like to try and do is use source routing to route that traffic to null. >I figured it would be easier on the router than an access-list. > >Has anyone else tried this successfully on ciscos and junipers? >Is it easier on the CPU than access-lists? >Is there a link I cannot find on cisco or google? > >Thanks >Christian Liendo > --------------------- Andre Chapuis IP+ Engineering Swisscom Ltd Genfergasse 14 3050 Bern +41 31 893 89 61 [EMAIL PROTECTED] CCIE #6023 ----------------------