North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Land and Cisco question
> I was *extremely* unclear in what I sent since I was running out the door. > Most cisco routers run by ISPs (here on NANOG) have at least 50 interfaces > (subinterfaces) and usually average 100. Each and every > interface/subinterface has to be blocked. So it is either create an > extended access list with all 100 individual interface addresses blocked > (and update it as new customers get connected) or block by subnet, i.e if > all interfaces come from a 255.255.255.252 (/30) subnetted block, then block > the whole /24. But then the problem I discussed below creeps up. Any > recommendations on how to block this by subnet (assuming the router side > always has the same bit position in the subnet)? you still do not get it. NO PER-CUSTOMER CHANGE! for each interface on a router block tcp which is both to and from that interface the problem, of course, is the performance hot for packet filters on OC3s etc. randy
|