Discard Interfaces Overview
On the routing platform, you can configure one physical discard interface, dsc. The discard interface allows you to identify the ingress point of a denial-of-service (DoS) attack. When your network is under attack, the target host IP address is identified, and the local policy forwards attacking packets to the discard interface. When traffic is routed out of the discard interface, the traffic is silently discarded.
You can configure the inet family protocol on the discard interface, which allows you to apply an output filter to the interface. If you apply an output filter to the interface, the action specified by the filter is executed before the traffic is discarded.
Once you configure a discard interface, you must then configure a local policy to forward attacking traffic to the discard interface. For a complete discussion about using the discard interface to protect your network against DoS attacks, see the Routing Policy Configuration Guide.
Keep the following guidelines in mind when configuring the discard interface:
- Only the logical interface unit 0 is supported.
- The filter and address statements are optional.
- Although you can configure an input filter and a filter group, these configuration statements have no effect because traffic is not transmitted from the discard interface.
- The show interface command is not relevant for the discard interface.
- The discard interface does not support class of service (CoS).
