Cisco Cisco Packet Data Gateway (PDG) Folheto
FNG Service Configuration Mode Commands
ip source-violation ▀
Cisco ASR 5x00 Command Line Interface Reference ▄
4921
ip source-violation
Sets the parameters for IP source validation. Source validation is useful if packet spoofing is suspected or for verifying
packet routing and labeling within the network.
packet routing and labeling within the network.
Source validation requires the source address of received packets to match the IP address assigned to the subscriber
(either statically or dynamically) during the session.
(either statically or dynamically) during the session.
Product
FNG
Privilege
Security Administrator, Administrator
Mode
Exec > Global Configuration > Context Configuration > FNG Service Configuration
configure > context context_name > fng-service service_name
Entering the above command sequence results in the following prompt:
[context_name]host_name(config-fng-service)#
Syntax
ip source-violation { clear-on-valid-packet | drop-limit num | period secs }
no ip source-violation clear-on-valid-packet
clear-on-valid-packet
Configures the service to reset the drop-limit counters upon receipt of a properly addressed packet. Default:
disabled
disabled
drop-limit
num
Sets the maximum number of allowed IP source violations within the detection period before dropping a call
as an integer from 1 through 1000000. Default: 10
as an integer from 1 through 1000000. Default: 10
period
secs
Sets the detection period (in seconds) for IP source violations as an integer from 1 through 1000000. Default:
120
120
Usage
This function allows the operator to configure the network to prevent problems such as when a user gets
handed back and forth between two gateways a number of times during a handoff scenario.
When a subscriber packet is received with a source IP address violation, the system increments the IP source
violation drop-limit counter and starts the timer for the IP source violation period. Every subsequent packet
received with a bad source address during the IP source violation period causes the drop-limit counter to
increment.
For example, if the drop-limit is set to 10, after 10 source violations, the call is dropped. The detection period
timer continues to count throughout this process.
handed back and forth between two gateways a number of times during a handoff scenario.
When a subscriber packet is received with a source IP address violation, the system increments the IP source
violation drop-limit counter and starts the timer for the IP source violation period. Every subsequent packet
received with a bad source address during the IP source violation period causes the drop-limit counter to
increment.
For example, if the drop-limit is set to 10, after 10 source violations, the call is dropped. The detection period
timer continues to count throughout this process.
Example