|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Land and Cisco question
At 10:58 AM 11/22/97 -0800, John Bashinski wrote: I was *extremely* unclear in what I sent since I was running out the door. Most cisco routers run by ISPs (here on NANOG) have at least 50 interfaces (subinterfaces) and usually average 100. Each and every interface/subinterface has to be blocked. So it is either create an extended access list with all 100 individual interface addresses blocked (and update it as new customers get connected) or block by subnet, i.e if all interfaces come from a 255.255.255.252 (/30) subnetted block, then block the whole /24. But then the problem I discussed below creeps up. Any recommendations on how to block this by subnet (assuming the router side always has the same bit position in the subnet)? -Hank >-----BEGIN PGP SIGNED MESSAGE----- > >> Does BGP use TCP or UDP? > >TCP. > >> If TCP then we are in trouble. > >I don't think so. > >> Almost everyone >> has access to the Internet via BGP. The line IP address is usually made up >> of a pair of addresses in the same subnet. You can IP spoof block all your >> internal IP addresses but if you block the IP address of your BGP connection >> to your BGP peer and BGP uses TCP, then the examples jbash gave out will >> stop BGP updates as well. > >This was my example: > > interface ethernet 0 > ip address 1.2.3.4 255.255.255.0 > ip access-group 101 in > ! > interface ethernet 1 > ip address 5.6.7.8 > ip access-group 101 in > ! > access-list 101 deny tcp 1.2.3.4 0.0.0.0 1.2.3.4 0.0.0.0 > access-list 101 deny tcp 5.6.7.8 0.0.0.0 5.6.7.8 0.0.0.0 > access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 > >That only blocks the router talking to itself, not talking to any other >host, whether on the same subnet or not. As far as I know, you don't have >to have a TCP connection to yourself to run BGP, just to your neighbors. > > -- John B. > >-----BEGIN PGP SIGNATURE----- >Version: None of your beeswax > >iQCVAwUBNHcrO3emvD4nAHb9AQHpsAP+OV+xm3uQ+N1Xoc6auDyKfM/j0L9JPqvL >n1pKNh73jqZz8vMzMWOkm8wcnGkW9u+JFQ0tSlkEtpkWrAG96f0kmSpXyfC6BRYo >RvpkXL4hHT0A+1HSbVNmOjGjfThdEyWOdhcE9jJc35PxzErzarsyFTPnjK6Fl5Rl >8wVsoHAPNYU= >=cAK5 >-----END PGP SIGNATURE----- > >
|