North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Land and Cisco question

  • From: Randy Bush
  • Date: Sat Nov 22 14:59:51 1997

> I was *extremely* unclear in what I sent since I was running out the door.
> Most cisco routers run by ISPs (here on NANOG) have at least 50 interfaces
> (subinterfaces) and usually average 100.  Each and every
> interface/subinterface has to be blocked.  So it is either create an
> extended access list with all 100 individual interface addresses blocked
> (and update it as new customers get connected) or block by subnet, i.e if
> all interfaces come from a 255.255.255.252 (/30) subnetted block, then block
> the whole /24.  But then the problem I discussed below creeps up.  Any
> recommendations on how to block this by subnet (assuming the router side
> always has the same bit position in the subnet)?

you still do not get it.  NO PER-CUSTOMER CHANGE!

for each interface on a router
  block tcp which is both to and from that interface

the problem, of course, is the performance hot for packet filters on OC3s
etc.

randy