[c-nsp] PPPOE Filtering

Paul Stewart pstewart at nexicomgroup.net
Tue Dec 12 20:36:30 EST 2006 

These are valid questions.. And yes, originally outside sources needed
direct access to the equipment ... Now, that's not the case...:)

We have *some* sites with numbered interfaces running PPPOE at this
point so we know it works (unfortunately now looking back)...

Thanks for the input... We'll move the AP's to RFC1918 space (which we
should do anyways), apply the access lists and that should control the
potential problem we seeing happening.  For the record, only our access
points are in public space.. The actual end-user radios are all in
private IP space already (500+ of them) :)

Take care,

Paul
 

-----Original Message-----
From: Robert Blayzor [mailto:rblayzor at inoc.net] 
Sent: Tuesday, December 12, 2006 8:31 PM
To: Paul Stewart
Cc: Joe Maimon; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] PPPOE Filtering

Paul Stewart wrote:
> It would if I could permit pppoe and deny all on everything else...:)
> 
> If I do it via ip ranges then there's nothing to stop someone from 
> just putting a static address on their computer and still surfing .. 
> And I need to leave an IP address on the interface so that I can reach

> the equipment instead...


How is that possible?  Are you using public IP addresses to manage your
wireless radios?  If so, that might be silly.

If you use RFC1918 space and use a subnet to manage your radios, then
do:

access-list 10 permit 10.x.x.x 0.0.0.255 access-list 10 deny any log
interface fax/x
  ip address 10.x.x.x 255.255.255.0
  pppoe enable
  ip access-group 10 in


I didn't even know it was possible to have PPPoE enabled on a numbered
interface.  (perhaps, but we don't)


> The only other thing I could do is convert the access points to 
> private IP space (which is redistibuted to the rest of our network 
> anyways) making the access-point reachable but if a customer put their

> own private IP on their computer they couldn't get any further than 
> our network making their connection pretty much useless...

Why are you not doing that anyway?  Do people on the Internet need
access to your radios?

--
Robert Blayzor, BOFH
INOC, LLC
rblayzor\@(inoc.net|gmail.com)
PGP: 0x66F90BFC @ http://pgp.mit.edu
Key fingerprint = 6296 F715 038B 44C1 2720  292A 8580 500E 66F9 0BFC

(A)bort, (R)etry, (P)anic?

More information about the cisco-nsp mailing list