Land and Cisco question

• Previous message (by thread): Land and Cisco question
• Next message (by thread): Land and Cisco question
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I was *extremely* unclear in what I sent since I was running out the door.
> Most cisco routers run by ISPs (here on NANOG) have at least 50 interfaces
> (subinterfaces) and usually average 100.  Each and every
> interface/subinterface has to be blocked.  So it is either create an
> extended access list with all 100 individual interface addresses blocked
> (and update it as new customers get connected) or block by subnet, i.e if
> all interfaces come from a 255.255.255.252 (/30) subnetted block, then block
> the whole /24.  But then the problem I discussed below creeps up.  Any
> recommendations on how to block this by subnet (assuming the router side
> always has the same bit position in the subnet)?

you still do not get it.  NO PER-CUSTOMER CHANGE!

for each interface on a router
  block tcp which is both to and from that interface

the problem, of course, is the performance hot for packet filters on OC3s
etc.

randy

• Previous message (by thread): Land and Cisco question
• Next message (by thread): Land and Cisco question
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]