Land and Cisco question
randy at psg.com
Sat Nov 22 19:54:00 UTC 1997
> I was *extremely* unclear in what I sent since I was running out the door.
> Most cisco routers run by ISPs (here on NANOG) have at least 50 interfaces
> (subinterfaces) and usually average 100. Each and every
> interface/subinterface has to be blocked. So it is either create an
> extended access list with all 100 individual interface addresses blocked
> (and update it as new customers get connected) or block by subnet, i.e if
> all interfaces come from a 255.255.255.252 (/30) subnetted block, then block
> the whole /24. But then the problem I discussed below creeps up. Any
> recommendations on how to block this by subnet (assuming the router side
> always has the same bit position in the subnet)?
you still do not get it. NO PER-CUSTOMER CHANGE!
for each interface on a router
block tcp which is both to and from that interface
the problem, of course, is the performance hot for packet filters on OC3s
More information about the NANOG