[cisco-bba] ACLs on Virtual-Access templates

Arie Vayner arievayner at gmail.com
Sat Jan 31 16:49:25 EST 2009


Frank,

uRFP should be the right way to block packets from the client as a source...
After you connect, do you see the uRPF feature enabled on the Virtual-Access
(show run interface and show ip interface)?

Arie

On Sat, Jan 31, 2009 at 11:35 PM, Frank Bulk <frnkblk at iname.com> wrote:

> Is there a way to build an ACL on a Virtual-Access template such that the
> connection can only use the IP address given to it by IPCP?
>
> I applied strict uRPF to the Virtual-Access template, but that didn't stop
> this kind of traffic:
>
> Jan 31 15:23:21 a.b.c.d 38279: Jan 31 15:23:20.964 CST:
> %SEC-6-IPACCESSLOGP:
> list 125 denied udp 80.212.149.228(55190) -> 192.168.0.0(19427), 1 packet
> Jan 31 15:23:32 a.b.c.d 38287: Jan 31 15:23:31.476 CST:
> %SEC-6-IPACCESSLOGP:
> list 125 denied tcp 222.172.244.3(2047) -> 192.168.0.0(19427), 1 packet
> Jan 31 15:23:33 a.b.c.d 38288: Jan 31 15:23:32.784 CST:
> %SEC-6-IPACCESSLOGP:
> list 125 denied udp 151.48.173.200(25235) -> 192.168.0.0(19427), 1 packet
> Jan 31 15:23:36 a.b.c.d 38290: Jan 31 15:23:34.884 CST:
> %SEC-6-IPACCESSLOGP:
> list 125 denied udp 58.108.93.71(13502) -> 192.168.0.0(19427), 1 packet
>
> Those source IPs aren't mine, and are targeting an RFC1918 address.  I'm
> blocking traffic originating from my PPPoA/E customers that use a source IP
> address outside my netblock or are targeting an RFC198 address using an
> inbound ACL on the Virtual-Access template, but it doesn't stop a a
> customer
> from spoofing their neighbor's IP address.
>
> I've had a basic ACL in place on our internet-facing Ethernet port (Cisco
> 7206VXR with NPE-400) for a long time, but I didn't having anything in
> place
> to block RFC 1918 addresses.  I could have applied the rules to the ACL on
> the Ethernet interface, but I've been told to apply an ACL as close as
> possible to the source of the traffic.
>
> To further complicate matters, I also use this router to route RFC 1918
> space for corporate needs.  I keep that "separate" by using source-based
> routing, but that didn't prevent PPPoA/E customers from sending a packet to
> the RFC 1918 space, even if the return packet never got back to them.
> Perhaps I should use a VRF for handling corporate, traffic, except that
> I've
> never done that before and I would need to spend some time learning.
>
> Frank
>
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-bba/attachments/20090131/ab2d390a/attachment.html>


More information about the cisco-bba mailing list