[c-nsp] ip access list rfc1918 help please

[Randy]

--- On Tue, 6/26/12, Mike <mike-cisconsplist at tiedyenetworks.com> wrote:

> From: Mike <mike-cisconsplist at tiedyenetworks.com>
> Subject: Re: [c-nsp] ip access list rfc1918 help please
> To: 
> Cc: "'Cisco-nsp'" <cisco-nsp at puck.nether.net>
> Date: Tuesday, June 26, 2012, 5:17 PM
> On 06/24/2012 12:02 PM, Gert Doering
> wrote:
> > Hi,
> > 
> > On Sat, Jun 23, 2012 at 02:42:04PM -0700, Mike wrote:
> >    
> >>     I am trying to filter out
> rfc1918 addresses as either source or
> >> destination addresses for my pppoe connected
> subscribers. Each
> >>      
> > Why not
> > 
> >    a) turn on uRPF filtering on the
> virtual-template
> >       ("ip verify unicast
> reverse")
> >       ->  this takes
> care of *any* garbage source address the customer
> >       might send you, not just
> RFC1918 space  (see also BCP38).
> > 
> >    b) null-route the RFC1918 space
> >       ->  this takes
> care of the destination addresses
> > 
> > that way you can get much more benefits with less
> effort.
> > 
> > gert
> >    
> 
> Actually I do have urpf for exactly the reason you stated,
> but thanks. I had the filter turned around backwards so it
> was not being very effective. I added
> 
> radius-server attribute 11 default direction in
> 
> and suddently the filter started to work as I thought it
> should, namely, stop packets from customers to rfc1918
> space. Based on your and other inputs however, I'm beginning
> to rethink my strategy. I want to be able to bypass
> filtering in some cases, and I'd also like to have filtering
> based on a dynamic set... it's possible to null route bad
> destinations, but can a routing table be used to say 'drop
> all packets from these prefixes'?
> 
> Thanks.
> Mike-


Yes - 

"ip policy route-map foo"

route-map foo permit 10 will match an extended acl for desired source& dest prefixes.
and set next-hop to 192.0.2.1(eg)

and a static route:

ip route 192.0.2.1 255.255.255.255 Null0

will do the trick.
./Randy