North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Land and Cisco question

  • From: Paul Ferguson
  • Date: Sat Nov 22 16:12:44 1997

I'm sorry - but the Right Thing (tm) to do is to
ingress filter, as I have already evangelized.

Like it or not.

- paul


At 08:13 PM 11/22/97 +0000, Alex Bligh wrote:

>Um, if your concentrator router has one interface per L/L customer (or
>one subinterface per customer), you *do* need to add another line to
>the extended ACL for each new subinterface added, which looks like
>
>access-list 164 deny ip n.n.n.n 0.0.0.0 n.n.n.n 0.0.0.0
>
>where n.n.n.n is the ip address of the new subinterface on the
>concentrator router, because the ACL has one line per (sub)interface
>on the router.
>
>However many of us (I think) don't run with a new subinterface for
>each new customer, and a still easier fix is to upgrade to one of
>the non-vulnerable IOS versions (there being at least one for
>each of 10.3, 11.0, 11.1 & 11.2).
>
>-- 
>Alex Bligh
>GX Networks (formerly Xara Networks)
>
>
>
>