[13973] in North American Network Operators' Group
Re: Land and Cisco question
daemon@ATHENA.MIT.EDU (Randy Bush)
Sat Nov 22 14:59:32 1997
Date: Sat, 22 Nov 97 11:54 PST
From: Randy Bush <randy@psg.com>
To: Hank Nussbacher <hank@ibm.net.il>
Cc: nanog@merit.edu
> I was *extremely* unclear in what I sent since I was running out the door.
> Most cisco routers run by ISPs (here on NANOG) have at least 50 interfaces
> (subinterfaces) and usually average 100. Each and every
> interface/subinterface has to be blocked. So it is either create an
> extended access list with all 100 individual interface addresses blocked
> (and update it as new customers get connected) or block by subnet, i.e if
> all interfaces come from a 255.255.255.252 (/30) subnetted block, then block
> the whole /24. But then the problem I discussed below creeps up. Any
> recommendations on how to block this by subnet (assuming the router side
> always has the same bit position in the subnet)?
you still do not get it. NO PER-CUSTOMER CHANGE!
for each interface on a router
block tcp which is both to and from that interface
the problem, of course, is the performance hot for packet filters on OC3s
etc.
randy
