The filtering of 224.0.0.0/3 is a *bad* thing as it breaks
multicast and protocols that use specific multicast groups. ie: ospf
Anyone who doesn't take this into account will cause major
issues as multicast (and specifically SSM) is deployed further in
this world.
there's about 8k prefixes in the multicast routing tables, and
that continues to grow daily.
Yahoo! (broadcast.com) has been helping do this with the providers
who have less clueful upstreams with much success, and the clueful
providers are doing a reasonable job in deploying it.
(Verio is one notable provider that is missing from this list that does
have multicast deployed http://www.stardust.com/multicast/providers.htm)
Here's an ACL that I use, which you may find well suited
for your application. These aren't 'well aggregated' as far as filters
go, but it works well for me.
- Jared
no ip access-list extended bogons
ip access-list extended bogons
! Deny TCP from multicast space
deny tcp 224.0.0.0 0.15.255.255 any
! Deny rfc1918 space
deny ip 0.0.0.0 0.255.255.255 any
deny ip 1.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 128.0.0.0 0.0.255.255 any
deny ip 128.66.0.0 0.0.255.255 any
deny ip 191.255.0.0 0.0.255.255 any
deny ip 192.0.0.0 0.0.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
deny ip 223.255.255.0 0.0.0.255 any
! Deny IANA reserved space - other than rfc1918 space
!IANA (RESERVED-3) RESERVED-3 128.0.0.0
! - NET-RESERVED-2 2.0.0.0/8
deny ip 2.0.0.0 0.255.255.255 any
!IANA (RESERVED-7) RESERVED-7 67.0.0.0 - 95.255.255.255
deny ip 67.0.0.0 0.255.255.255 any
deny ip 68.0.0.0 1.255.255.255 any
deny ip 70.0.0.0 1.255.255.255 any
deny ip 72.0.0.0 1.255.255.255 any
deny ip 74.0.0.0 1.255.255.255 any
deny ip 76.0.0.0 1.255.255.255 any
deny ip 78.0.0.0 1.255.255.255 any
deny ip 80.0.0.0 1.255.255.255 any
deny ip 82.0.0.0 1.255.255.255 any
deny ip 84.0.0.0 1.255.255.255 any
deny ip 86.0.0.0 1.255.255.255 any
deny ip 88.0.0.0 1.255.255.255 any
deny ip 90.0.0.0 1.255.255.255 any
deny ip 92.0.0.0 1.255.255.255 any
deny ip 94.0.0.0 1.255.255.255 any
!
deny ip 96.0.0.0 1.255.255.255 any
deny ip 98.0.0.0 1.255.255.255 any
deny ip 100.0.0.0 1.255.255.255 any
deny ip 102.0.0.0 1.255.255.255 any
deny ip 104.0.0.0 1.255.255.255 any
deny ip 106.0.0.0 1.255.255.255 any
deny ip 108.0.0.0 1.255.255.255 any
deny ip 110.0.0.0 1.255.255.255 any
deny ip 112.0.0.0 1.255.255.255 any
deny ip 114.0.0.0 1.255.255.255 any
deny ip 116.0.0.0 1.255.255.255 any
deny ip 118.0.0.0 1.255.255.255 any
deny ip 120.0.0.0 1.255.255.255 any
deny ip 122.0.0.0 1.255.255.255 any
deny ip 124.0.0.0 1.255.255.255 any
deny ip 126.0.0.0 1.255.255.255 any
!
permit ip any any
!
end
On Thu, Dec 07, 2000 at 06:42:49PM -0500, Kris Amundson wrote:
> I'm listing standard subnets for traffic and route filtering for a Cisco
> router template. Did I miss anything?
>
> Standard stuff:
> 0.0.0.0/8
> 10.0.0.0/8
> 127.0.0.0/8
> 169.254.0.0/16
> 172.16.0.0/14
> 192.0.2.0/24
> 192.168.0.0/16
>
> Additional:
> 1.0.0.0/8
> 2.0.0.0/8
> 5.0.0.0/8
> 7.0.0.0/8
> 23.0.0.0/8
> 27.0.0.0/8
> 31.0.0.0/8
> 36.0.0.0/8
> 37.0.0.0/8
> 39.0.0.0/8
> 41.0.0.0/8
> 42.0.0.0/8
> 49.0.0.0/8
> 50.0.0.0/8
> 58.0.0.0/7
> 60.0.0.0/8
> 67.0.0.0/8
> 68.0.0.0/6
> 72.0.0.0/5
> 80.0.0.0/4
> 96.0.0.0/3
> 197.0.0.0/8
> 218.0.0.0/7
> 220.0.0.0/6
> 224.0.0.0/3
>
> I'm unsure of all those additional subnets. I found them on recommended
> filter reserved list.
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. END OF LINE | Manager of IP networks built within my own home
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:23 EDT