[c-nsp] PPPOE Filtering
Robert Blayzor
rblayzor at inoc.net
Tue Dec 12 20:30:30 EST 2006
Paul Stewart wrote:
> It would if I could permit pppoe and deny all on everything else...:)
>
> If I do it via ip ranges then there's nothing to stop someone from just
> putting a static address on their computer and still surfing .. And I
> need to leave an IP address on the interface so that I can reach the
> equipment instead...
How is that possible? Are you using public IP addresses to manage your
wireless radios? If so, that might be silly.
If you use RFC1918 space and use a subnet to manage your radios, then do:
access-list 10 permit 10.x.x.x 0.0.0.255
access-list 10 deny any log
interface fax/x
ip address 10.x.x.x 255.255.255.0
pppoe enable
ip access-group 10 in
I didn't even know it was possible to have PPPoE enabled on a numbered
interface. (perhaps, but we don't)
> The only other thing I could do is convert the access points to private
> IP space (which is redistibuted to the rest of our network anyways)
> making the access-point reachable but if a customer put their own
> private IP on their computer they couldn't get any further than our
> network making their connection pretty much useless...
Why are you not doing that anyway? Do people on the Internet need
access to your radios?
--
Robert Blayzor, BOFH
INOC, LLC
rblayzor\@(inoc.net|gmail.com)
PGP: 0x66F90BFC @ http://pgp.mit.edu
Key fingerprint = 6296 F715 038B 44C1 2720 292A 8580 500E 66F9 0BFC
(A)bort, (R)etry, (P)anic?
More information about the cisco-nsp
mailing list