[c-nsp] access lists for cpe protection
Mike
mike-cisconsplist at tiedyenetworks.com
Sun Mar 2 14:05:50 EST 2014
On 03/02/2014 09:33 AM, Nick Hilliard wrote:
> On 28/02/2014 18:35, Mike wrote:
>> So my question is, can I optimize this to reduce router load? Oh, I
>> have this on 7201.
> It may help if you enable "access-list compiled" in global config mode -
> google for "Turbo ACLs" for information on how this works. If this doesn't
> help, then you're gonna need a bigger boat.
>
> That's one seriously aggressive ACL you have. I'm glad I'm not at the
> receiving end of it.
>
I should have said I do have access-list compiled already, I was just
wondering if there was something else like ordering of the rules or
expressions that might improve it a bit.
As fas as the aggressiveness of the acl, yep you are right, but keep in
mind this only is blocking inbound requests made TO customer CPE, such
as dns queries, snmp, web management interface, and so forth. On the
plus side, any customer can request an opt-out and I'll happily remove
it for them (its just a radius group they are a member of). The
necessity of having to do this in the first place is that customer CPE
are under attack and have been hijacked en-mass resulting in massive
support calls from folks who are just as ignorant as their equipment
manufacturer and who are dissastified with having to bring the device to
us so it can be reset, reprogrammed, and secured (update fw or alternate
fw like dd-wrt or such).
Thanks.
Mike-
More information about the cisco-nsp
mailing list