nanog mailing list archives
Re: Land and Cisco question
From: Alex Bligh <amb () gxn net>
Date: Sat, 22 Nov 1997 20:13:42 +0000
So it is either create an extended access list with all 100 individual interface addresses blockedyou still do not get it. NO PER-CUSTOMER CHANGE! for each interface on a router block tcp which is both to and from that interface
Um, if your concentrator router has one interface per L/L customer (or one subinterface per customer), you *do* need to add another line to the extended ACL for each new subinterface added, which looks like access-list 164 deny ip n.n.n.n 0.0.0.0 n.n.n.n 0.0.0.0 where n.n.n.n is the ip address of the new subinterface on the concentrator router, because the ACL has one line per (sub)interface on the router. However many of us (I think) don't run with a new subinterface for each new customer, and a still easier fix is to upgrade to one of the non-vulnerable IOS versions (there being at least one for each of 10.3, 11.0, 11.1 & 11.2). -- Alex Bligh GX Networks (formerly Xara Networks)
Current thread:
- Land and Cisco question Hank Nussbacher (Nov 22)
- Re: Land and Cisco question John Bashinski (Nov 22)
- <Possible follow-ups>
- Re: Land and Cisco question Hank Nussbacher (Nov 22)
- Re: Land and Cisco question Randy Bush (Nov 22)
- Re: Land and Cisco question Alex Bligh (Nov 22)
- Re: Land and Cisco question Paul Ferguson (Nov 22)
- Re: Land and Cisco question Alan Barrett (Nov 23)
- Re: Land and Cisco question Joe Shaw (Nov 23)
- Re: Land and Cisco question Randy Bush (Nov 23)
- why not peer with LS disabling networks ? Lyndon Levesley (Nov 23)
- Re: why not peer with LS disabling networks ? John Hawkinson (Nov 23)
- Re: why not peer with LS disabling networks ? Randy Bush (Nov 23)
- Re: why not peer with LS disabling networks ? Paul Ferguson (Nov 24)
- Re: why not peer with LS disabling networks ? Network Operations Center (Nov 24)
- Re: why not peer with LS disabling networks ? John Hawkinson (Nov 24)
- Re: Land and Cisco question Randy Bush (Nov 22)