[16440] in North American Network Operators' Group
RE: Network Operators and smurf
daemon@ATHENA.MIT.EDU (barton@cent.net)
Sat Apr 25 16:18:49 1998
Date: Sat, 25 Apr 1998 15:55:40 -0400 (EDT)
From: barton@cent.net
In-reply-to: Your message dated "Sat, 25 Apr 1998 18:19:26 +0200"
<199804251619.SAA17159@vader.runit.sintef.no>
To: Havard.Eidnes@runit.sintef.no
Cc: jra@scfn.thpl.lib.fl.us, nanog@merit.edu,
"Barton F. Bruce" <BRUCE@Eisner.DECUS.Org>
>Current recipe for anti-forging with Cisco hardware:
> o Pick up CEF code (11.1(17)CC, which doesn't yet (?) exist for all
> Cisco platforms, unfortunately)
> o Configure:
> !
> ip cef switch
> ! or "ip cef distributed switch" for an RSP+VIP2 based box
> !
> interface whatever
> ip verify unicast reverse-path
> !
I don't know what exact configs are vulnerable, but don't try this
on a 7206 if you have a PA-8T with frame relay on it.
I had CEF only on PA-2T3 ports and F0/0 on the controller card and yet
all frame relay connections on multiple T1s on the PA-8T were trashed.
cscdj87169 is not resolved yet.
