nanog mailing list archives

Re: Land and Cisco question

From: Randy Bush <randy () psg com>
Date: Sat, 22 Nov 97 11:54 PST

I was *extremely* unclear in what I sent since I was running out the door.
Most cisco routers run by ISPs (here on NANOG) have at least 50 interfaces
(subinterfaces) and usually average 100.  Each and every
interface/subinterface has to be blocked.  So it is either create an
extended access list with all 100 individual interface addresses blocked
(and update it as new customers get connected) or block by subnet, i.e if
all interfaces come from a 255.255.255.252 (/30) subnetted block, then block
the whole /24.  But then the problem I discussed below creeps up.  Any
recommendations on how to block this by subnet (assuming the router side
always has the same bit position in the subnet)?


you still do not get it.  NO PER-CUSTOMER CHANGE!

for each interface on a router
  block tcp which is both to and from that interface

the problem, of course, is the performance hot for packet filters on OC3s
etc.

randy

Current thread:

Land and Cisco question Hank Nussbacher (Nov 22)
- Re: Land and Cisco question John Bashinski (Nov 22)
- <Possible follow-ups>
- Re: Land and Cisco question Hank Nussbacher (Nov 22)
  - Re: Land and Cisco question Randy Bush (Nov 22)
    - Re: Land and Cisco question Alex Bligh (Nov 22)
    - Re: Land and Cisco question Paul Ferguson (Nov 22)
    - Re: Land and Cisco question Alan Barrett (Nov 23)
    - Re: Land and Cisco question Joe Shaw (Nov 23)
    - Re: Land and Cisco question Randy Bush (Nov 23)
    - why not peer with LS disabling networks ? Lyndon Levesley (Nov 23)
    - Re: why not peer with LS disabling networks ? John Hawkinson (Nov 23)
    - Re: why not peer with LS disabling networks ? Randy Bush (Nov 23)
    - Re: why not peer with LS disabling networks ? Paul Ferguson (Nov 24)
    - Re: why not peer with LS disabling networks ? Network Operations Center (Nov 24)

(Thread continues...)