[164221] in North American Network Operators' Group
Re: Egress filters dropping traffic
daemon@ATHENA.MIT.EDU (Peter Ehiwe)
Sun Jun 30 13:15:38 2013
In-Reply-To: <CAPLq3UNbRFBj=ay5KUbUoFQgk7LJU=-oEq7+woiw-rH-XiVu+g@mail.gmail.com>
From: Peter Ehiwe <peterehiwe@gmail.com>
Date: Sun, 30 Jun 2013 18:08:57 +0100
To: Glen Kent <glen.kent@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I usually do ingress acl on CE facing PE interfaces , that way I can provide=
one level of anti spoofing on IPs "I control" . I've not had the need for a=
n egress ACL yet but then again I think it depends on network design and hab=
its from Day 1.
One use case though may be to mitigate DDOS attack on a customer facing lin=
k.
Sent from my iPhone
On Jun 30, 2013, at 5:34 PM, Glen Kent <glen.kent@gmail.com> wrote:
> Hi,
>=20
> Under what scenarios do providers install egress ACLs which could say for
> eg.
>=20
> 1. Allow all IP traffic out on an interface foo if its coming from source
> IP x.x.x.x/y
> 2. Drop all other IP traffic out on this interface.
>=20
> Glen
