[cisco-bba] ACLs on Virtual-Access templates

Tony td_miles at yahoo.com
Sat Jan 31 17:25:27 EST 2009


Hi Frank,

Unicast Reverse Path Forwarding might achieve what you are trying to do. 

I'll the links explain it better than I can :)

http://en.wikipedia.org/wiki/URPF
http://www.cisco.com/en/US/docs/ios/12_1t/12_1t2/feature/guide/rpf_plus.html

Now might be a good time to start doing some reading about VRF, even if you don't implement it straight away.



regards,
Tony.

--- On Sun, 1/2/09, Frank Bulk <frnkblk at iname.com> wrote:

> From: Frank Bulk <frnkblk at iname.com>
> Subject: [cisco-bba] ACLs on Virtual-Access templates
> To: cisco-bba at puck.nether.net
> Date: Sunday, 1 February, 2009, 8:35 AM
> Is there a way to build an ACL on a Virtual-Access template
> such that the
> connection can only use the IP address given to it by IPCP?
> 
> I applied strict uRPF to the Virtual-Access template, but
> that didn't stop
> this kind of traffic:
> 
> Jan 31 15:23:21 a.b.c.d 38279: Jan 31 15:23:20.964 CST:
> %SEC-6-IPACCESSLOGP:
> list 125 denied udp 80.212.149.228(55190) ->
> 192.168.0.0(19427), 1 packet
> Jan 31 15:23:32 a.b.c.d 38287: Jan 31 15:23:31.476 CST:
> %SEC-6-IPACCESSLOGP:
> list 125 denied tcp 222.172.244.3(2047) ->
> 192.168.0.0(19427), 1 packet
> Jan 31 15:23:33 a.b.c.d 38288: Jan 31 15:23:32.784 CST:
> %SEC-6-IPACCESSLOGP:
> list 125 denied udp 151.48.173.200(25235) ->
> 192.168.0.0(19427), 1 packet
> Jan 31 15:23:36 a.b.c.d 38290: Jan 31 15:23:34.884 CST:
> %SEC-6-IPACCESSLOGP:
> list 125 denied udp 58.108.93.71(13502) ->
> 192.168.0.0(19427), 1 packet
> 
> Those source IPs aren't mine, and are targeting an
> RFC1918 address.  I'm
> blocking traffic originating from my PPPoA/E customers that
> use a source IP
> address outside my netblock or are targeting an RFC198
> address using an
> inbound ACL on the Virtual-Access template, but it
> doesn't stop a a customer
> from spoofing their neighbor's IP address.
> 
> I've had a basic ACL in place on our internet-facing
> Ethernet port (Cisco
> 7206VXR with NPE-400) for a long time, but I didn't
> having anything in place
> to block RFC 1918 addresses.  I could have applied the
> rules to the ACL on
> the Ethernet interface, but I've been told to apply an
> ACL as close as
> possible to the source of the traffic.  
> 
> To further complicate matters, I also use this router to
> route RFC 1918
> space for corporate needs.  I keep that
> "separate" by using source-based
> routing, but that didn't prevent PPPoA/E customers from
> sending a packet to
> the RFC 1918 space, even if the return packet never got
> back to them.
> Perhaps I should use a VRF for handling corporate, traffic,
> except that I've
> never done that before and I would need to spend some time
> learning.
> 
> Frank
> 
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba


      



More information about the cisco-bba mailing list