[c-nsp] Bulk applying filters to subinterfaces

[Charles Sprickman]

So we’re a bit odd in that our small cadre of DSL subs don’t use PPPoE or even DHCP (these are mainly business customers).  This is mostly just inertia - static setup works, we have a system for adding circuits that works, etc.

So we have a GigE interface, and each sub comes in on a VLAN.  Our CLEC deals with the ATM to ethernet conversion, so these really just look like a bunch of plain old ethernet VLANs.

Our problem is the our CLEC supplies the CPE.  A large number of them are broken in fun ways - for example, they run UPNP, a DNS recursor and an NTP server.  Guess what happens if you configure these services to only listen on the LAN?  Well, it still listens on the WAN side.  And UPNP is more fun, disabling the service does not disable it.

So we now have customers being used in DDoS attacks as amplifiers (UPNP is apparently the hot new thing).  I need to basically drop an access list on every sub.  If we were running PPPoE, this would be easy, just make it part of the cloned template.

Are there any cool tricks that cover plain old ethernet subinterfaces that would allow me to add an access-list to all of them in one fell swoop?

Thanks,

Charles