|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Land and Cisco question
> > So it is either create an > > extended access list with all 100 individual interface addresses blocked > > you still do not get it. NO PER-CUSTOMER CHANGE! > > for each interface on a router > block tcp which is both to and from that interface Um, if your concentrator router has one interface per L/L customer (or one subinterface per customer), you *do* need to add another line to the extended ACL for each new subinterface added, which looks like access-list 164 deny ip n.n.n.n 0.0.0.0 n.n.n.n 0.0.0.0 where n.n.n.n is the ip address of the new subinterface on the concentrator router, because the ACL has one line per (sub)interface on the router. However many of us (I think) don't run with a new subinterface for each new customer, and a still easier fix is to upgrade to one of the non-vulnerable IOS versions (there being at least one for each of 10.3, 11.0, 11.1 & 11.2). -- Alex Bligh GX Networks (formerly Xara Networks)
|