[c-nsp] Bulk applying filters to subinterfaces
CiscoNSP List
cisconsp_list at hotmail.com
Thu Sep 18 22:49:53 EDT 2014
Can you use interface range on subints?
int range gigabitEthernet 0/0/0.2 - gigabitEthernet 0/0/0.50
Never tried it personally.
> From: spork at bway.net
> Date: Thu, 18 Sep 2014 21:56:01 -0400
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Bulk applying filters to subinterfaces
>
> So we’re a bit odd in that our small cadre of DSL subs don’t use PPPoE or even DHCP (these are mainly business customers). This is mostly just inertia - static setup works, we have a system for adding circuits that works, etc.
>
> So we have a GigE interface, and each sub comes in on a VLAN. Our CLEC deals with the ATM to ethernet conversion, so these really just look like a bunch of plain old ethernet VLANs.
>
> Our problem is the our CLEC supplies the CPE. A large number of them are broken in fun ways - for example, they run UPNP, a DNS recursor and an NTP server. Guess what happens if you configure these services to only listen on the LAN? Well, it still listens on the WAN side. And UPNP is more fun, disabling the service does not disable it.
>
> So we now have customers being used in DDoS attacks as amplifiers (UPNP is apparently the hot new thing). I need to basically drop an access list on every sub. If we were running PPPoE, this would be easy, just make it part of the cloned template.
>
> Are there any cool tricks that cover plain old ethernet subinterfaces that would allow me to add an access-list to all of them in one fell swoop?
>
> Thanks,
>
> Charles
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list