[59716] in North American Network Operators' Group
Re: Protecting inbound interfaces (re: Cisco exploit)
daemon@ATHENA.MIT.EDU (Basil Kruglov)
Fri Jul 18 09:23:15 2003
Date: Fri, 18 Jul 2003 08:22:28 -0500
From: Basil Kruglov <basil@cifnet.com>
To: nanog@merit.edu
Reply-To: nanog@merit.edu
In-Reply-To: <20030718060328.A54680-100000@legendz.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, Jul 18, 2003 at 06:07:08AM -0700, Rick Ernst wrote:
>
>
> Is there a way to globally protect all inbound interfaces on a router via ACL
> (specifically hundreds of frame/sub-interfaces) without applying the same ACL
> to each individual interface?
I believe something like this will work:
no access-l 198
access-list 198 deny 53 any any log-input
access-list 198 deny 55 any any log-input
access-list 198 deny 77 any any log-input
!
access-list 198 permit pim host xx.xx.xx.xx 224.0.0.0 31.255.255.255
!
access-list 198 deny pim any any log-input
access-list 198 permit ip any any
!
!end
replace xx.xx.xx.xx with real ip address if you have PIM running, if you
don't, remove that line.
> Is the "line vty" config only for telnet/ssh, etc. or is it the magic global
> that I'm looking for?
No. I don't think so.
-Basil @ CIFNet
