[c-nsp] ip access list rfc1918 help please

Mike mike-cisconsplist at tiedyenetworks.com
Tue Jun 26 20:17:22 EDT 2012


On 06/24/2012 12:02 PM, Gert Doering wrote:
> Hi,
>
> On Sat, Jun 23, 2012 at 02:42:04PM -0700, Mike wrote:
>    
>> 	I am trying to filter out rfc1918 addresses as either source or
>> destination addresses for my pppoe connected subscribers. Each
>>      
> Why not
>
>    a) turn on uRPF filtering on the virtual-template
>       ("ip verify unicast reverse")
>       ->  this takes care of *any* garbage source address the customer
>       might send you, not just RFC1918 space  (see also BCP38).
>
>    b) null-route the RFC1918 space
>       ->  this takes care of the destination addresses
>
> that way you can get much more benefits with less effort.
>
> gert
>    

Actually I do have urpf for exactly the reason you stated, but thanks. I 
had the filter turned around backwards so it was not being very 
effective. I added

radius-server attribute 11 default direction in

and suddently the filter started to work as I thought it should, namely, 
stop packets from customers to rfc1918 space. Based on your and other 
inputs however, I'm beginning to rethink my strategy. I want to be able 
to bypass filtering in some cases, and I'd also like to have filtering 
based on a dynamic set... it's possible to null route bad destinations, 
but can a routing table be used to say 'drop all packets from these 
prefixes'?

Thanks.
Mike-


More information about the cisco-nsp mailing list