[cisco-bba] ACLs on Virtual-Access templates

[Frank Bulk]

Is there a way to build an ACL on a Virtual-Access template such that the
connection can only use the IP address given to it by IPCP?

I applied strict uRPF to the Virtual-Access template, but that didn't stop
this kind of traffic:

Jan 31 15:23:21 a.b.c.d 38279: Jan 31 15:23:20.964 CST: %SEC-6-IPACCESSLOGP:
list 125 denied udp 80.212.149.228(55190) -> 192.168.0.0(19427), 1 packet
Jan 31 15:23:32 a.b.c.d 38287: Jan 31 15:23:31.476 CST: %SEC-6-IPACCESSLOGP:
list 125 denied tcp 222.172.244.3(2047) -> 192.168.0.0(19427), 1 packet
Jan 31 15:23:33 a.b.c.d 38288: Jan 31 15:23:32.784 CST: %SEC-6-IPACCESSLOGP:
list 125 denied udp 151.48.173.200(25235) -> 192.168.0.0(19427), 1 packet
Jan 31 15:23:36 a.b.c.d 38290: Jan 31 15:23:34.884 CST: %SEC-6-IPACCESSLOGP:
list 125 denied udp 58.108.93.71(13502) -> 192.168.0.0(19427), 1 packet

Those source IPs aren't mine, and are targeting an RFC1918 address.  I'm
blocking traffic originating from my PPPoA/E customers that use a source IP
address outside my netblock or are targeting an RFC198 address using an
inbound ACL on the Virtual-Access template, but it doesn't stop a a customer
from spoofing their neighbor's IP address.

I've had a basic ACL in place on our internet-facing Ethernet port (Cisco
7206VXR with NPE-400) for a long time, but I didn't having anything in place
to block RFC 1918 addresses.  I could have applied the rules to the ACL on
the Ethernet interface, but I've been told to apply an ACL as close as
possible to the source of the traffic.  

To further complicate matters, I also use this router to route RFC 1918
space for corporate needs.  I keep that "separate" by using source-based
routing, but that didn't prevent PPPoA/E customers from sending a packet to
the RFC 1918 space, even if the return packet never got back to them.
Perhaps I should use a VRF for handling corporate, traffic, except that I've
never done that before and I would need to spend some time learning.

Frank