nanog mailing list archives
Re: Land and Cisco question
From: Randy Bush <randy () psg com>
Date: Sat, 22 Nov 97 11:54 PST
I was *extremely* unclear in what I sent since I was running out the door. Most cisco routers run by ISPs (here on NANOG) have at least 50 interfaces (subinterfaces) and usually average 100. Each and every interface/subinterface has to be blocked. So it is either create an extended access list with all 100 individual interface addresses blocked (and update it as new customers get connected) or block by subnet, i.e if all interfaces come from a 255.255.255.252 (/30) subnetted block, then block the whole /24. But then the problem I discussed below creeps up. Any recommendations on how to block this by subnet (assuming the router side always has the same bit position in the subnet)?
you still do not get it. NO PER-CUSTOMER CHANGE! for each interface on a router block tcp which is both to and from that interface the problem, of course, is the performance hot for packet filters on OC3s etc. randy
Current thread:
- Land and Cisco question Hank Nussbacher (Nov 22)
- Re: Land and Cisco question John Bashinski (Nov 22)
- <Possible follow-ups>
- Re: Land and Cisco question Hank Nussbacher (Nov 22)
- Re: Land and Cisco question Randy Bush (Nov 22)
- Re: Land and Cisco question Alex Bligh (Nov 22)
- Re: Land and Cisco question Paul Ferguson (Nov 22)
- Re: Land and Cisco question Alan Barrett (Nov 23)
- Re: Land and Cisco question Joe Shaw (Nov 23)
- Re: Land and Cisco question Randy Bush (Nov 23)
- why not peer with LS disabling networks ? Lyndon Levesley (Nov 23)
- Re: why not peer with LS disabling networks ? John Hawkinson (Nov 23)
- Re: why not peer with LS disabling networks ? Randy Bush (Nov 23)
- Re: why not peer with LS disabling networks ? Paul Ferguson (Nov 24)
- Re: why not peer with LS disabling networks ? Network Operations Center (Nov 24)
- Re: Land and Cisco question Randy Bush (Nov 22)