Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1091
Views
5
Helpful
2
Replies

ISP Edge Network - Blocking Specific Traffic

Go to solution
xAdventix
Level 1
Level 1

‎02-12-2019 11:05 PM - edited ‎03-01-2019 03:12 PM

Hi, 

I am currently reviewing possibilities to blocking specific traffic on edge of network, E.G transit/peers to ensure if we get any malicious/unwanted traffic, we would be able to prevent this from occur. 

 

I came in and saw ACL's on the CORE, which I kind of thought there must be a better way, but after reviewing I come up with blanks and was wondering if anyone has any great ideas. 

 

To give some back story, the ACL's became a problem last week, due to some issues with the CEF table and in turn TCAM memory which from my understanding also works with ACL's. So we had to remove the ACL's from the edge, I thought about something less intensive like a null0 silent discard but that would only stop return traffic (unless I am being silly), which may prevent some attacks but for the like of a DDOS no-one will care about return traffic and even in some scenarios which we block on. 

 

Does anyone have a good solution to this? We do run the full BGP routing table if this helps, but I can't see what else you can really do. Would be great to have some insight :) 

 

Thank you, 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-13-2019 12:27 AM

Always suggested to consider a FW for these kind of requirement, so it does the good work to protect the network.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
2 Replies 2

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-13-2019 12:27 AM

Always suggested to consider a FW for these kind of requirement, so it does the good work to protect the network.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
xAdventix
Level 1
Level 1
In response to balaji.bandi

‎02-13-2019 11:22 PM

Yeah, I never really thought of an FW on the edge, my concern is it's more rack space and more money to implement something like this, as we will need a few in each DC to provide enough redundancy for multiple links to allow for multiple terminations into the CORE, but I can understand why you'd recommend something like this. I've discussed this with other people and there appears to be no magic config that can do this without ACL's.  

If I am going to go down this route, it would be cheaper to upgrade the hardware on the EDGE as I am just trying to extend life under orders rather than spending lots of money as we already have firewalls for our internal servers etc which sit as close to the sources as possible. 

Thanks for taking your time to post Balaji, I think I am going to stick with my original plan and redesign the network anyway, this is the only real best option as it's outgrown the current infrastructure/design. 

Customers Also Viewed These Support Documents