[c-nsp] Simple ACL not working 7600

Frank Bulk frnkblk at iname.com
Mon Aug 4 22:01:40 EDT 2014


Unfortunately I'm not in the position to dictate which routers my
residential subscribers use on their broadband connection, and the quantity
of subs (over 1000) makes forcing them to remediate nigh impossible.  In
fact, there may not be vendor code to resolve it.

So while in general I agree with your position (which I've seen you argue
before), in practice, in this case, it's not cost effective to implement it.
For open NTP and SNMP we are contacting customers and having them resolve
it.  Almost 100% of the time that's a configuration issue, not a firmware
issue.

Frank

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
Roland Dobbins
Sent: Monday, August 04, 2014 8:09 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Simple ACL not working 7600


On Aug 5, 2014, at 7:17 AM, Frank Bulk <frnkblk at iname.com> wrote:

> I applied an ACL on our CMTS last week and that was very effective in
resolving that gap

You do understand that this is going to randomly break stuff for your
subscribers, yes?

The best way to resolve this issue is to remediate the abusable CPE and/or
work with customers to get it remediated, if it isn't CPE you own/operate.

If you have to do this temporarily whilst remediation is taking place,
herding the abusable CPE together in terms of CIDR blocks and then doing
this only for the CIDR blocks in question will minimize the scope of any
collateral issues.

But blocking high ports towards your subscribers as a permanent blanket
policy causes problems and isn't the way to permanently resolve issues of
this nature.

----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

                   Equo ne credite, Teucri.

    		   	  -- Laocoön


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/





More information about the cisco-nsp mailing list