[c-nsp] access lists for cpe protection
Keegan Holley
no.spam at comcast.net
Sun Mar 2 14:16:07 EST 2014
Can you move the ACL to a beefier device and/or closer to the source? The 7200 (nonVXR) Isn’t exactly bleeding edge.
On Mar 2, 2014, at 2:05 PM, Mike <mike-cisconsplist at tiedyenetworks.com> wrote:
> On 03/02/2014 09:33 AM, Nick Hilliard wrote:
>> On 28/02/2014 18:35, Mike wrote:
>>> So my question is, can I optimize this to reduce router load? Oh, I
>>> have this on 7201.
>> It may help if you enable "access-list compiled" in global config mode -
>> google for "Turbo ACLs" for information on how this works. If this doesn't
>> help, then you're gonna need a bigger boat.
>>
>> That's one seriously aggressive ACL you have. I'm glad I'm not at the
>> receiving end of it.
>>
>
> I should have said I do have access-list compiled already, I was just wondering if there was something else like ordering of the rules or expressions that might improve it a bit.
>
> As fas as the aggressiveness of the acl, yep you are right, but keep in mind this only is blocking inbound requests made TO customer CPE, such as dns queries, snmp, web management interface, and so forth. On the plus side, any customer can request an opt-out and I'll happily remove it for them (its just a radius group they are a member of). The necessity of having to do this in the first place is that customer CPE are under attack and have been hijacked en-mass resulting in massive support calls from folks who are just as ignorant as their equipment manufacturer and who are dissastified with having to bring the device to us so it can be reset, reprogrammed, and secured (update fw or alternate fw like dd-wrt or such).
>
> Thanks.
>
> Mike-
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list