[c-nsp] ip access list rfc1918 help please
Mike
mike-cisconsplist at tiedyenetworks.com
Tue Jun 26 20:17:22 EDT 2012
On 06/24/2012 12:02 PM, Gert Doering wrote:
> Hi,
>
> On Sat, Jun 23, 2012 at 02:42:04PM -0700, Mike wrote:
>
>> I am trying to filter out rfc1918 addresses as either source or
>> destination addresses for my pppoe connected subscribers. Each
>>
> Why not
>
> a) turn on uRPF filtering on the virtual-template
> ("ip verify unicast reverse")
> -> this takes care of *any* garbage source address the customer
> might send you, not just RFC1918 space (see also BCP38).
>
> b) null-route the RFC1918 space
> -> this takes care of the destination addresses
>
> that way you can get much more benefits with less effort.
>
> gert
>
Actually I do have urpf for exactly the reason you stated, but thanks. I
had the filter turned around backwards so it was not being very
effective. I added
radius-server attribute 11 default direction in
and suddently the filter started to work as I thought it should, namely,
stop packets from customers to rfc1918 space. Based on your and other
inputs however, I'm beginning to rethink my strategy. I want to be able
to bypass filtering in some cases, and I'd also like to have filtering
based on a dynamic set... it's possible to null route bad destinations,
but can a routing table be used to say 'drop all packets from these
prefixes'?
Thanks.
Mike-
More information about the cisco-nsp
mailing list