*** Resending note of 09/23/96 18:38
Subject: Re: SYN flood messages flooding my mailbox
>Not. Every entry in the filter contains the following data:
> [Prefix] [Prefix Length] [Bitmask]
>where bitmask has a bit per every interfaces, so the bit if set if
>packet matching the prefix is allowed from that interface.
How do you handle the case of an inter-exchange point, with multiple
BGP neighbors per interface? The MAE-East NAP is the worst case
(and not everyone at a NAP is a "transit AS").
If you tried to handle the case of an IXP, wouldn't you have to
filter based on both interface and MAC address?
-- Richard Woundy, IBM
I'm starting to think that MAC-address-filtering ability would be
a VERY useful addition for this sort of thing, esp. if it could be
access 200 deny ip any host 22.214.171.124 src-mac 0000.1111.2222
access 200 permit ip any any
I think this isn't very possible given the IOS architecture;
hopefully I'm wrong.