[c-nsp] Bulk applying filters to subinterfaces

Charles Sprickman spork at bway.net
Tue Sep 23 16:54:41 EDT 2014

On Sep 18, 2014, at 11:54 PM, Frank Bulk <frnkblk at iname.com> wrote:

> Apply ACL on your single uplink instead of on each downlink?

If possible I’d like to avoid that.  We have two transit connections
and at some point will be adding a few local peers.  The DSL segment
of our customer base is shrinking, and Im not sure how I feel about
blindly blocking ports on other business customers.  Unlike the
usual abuse issues we see this is strictly about blocking defective
CPE, not customer-managed devices.

At this point Id even settle for something like the interface range
command available in cisco switch gear…

I have been away from any in-depth IOS work that requires me to keep
up with new features, but the concept of a template for subinterface
config does not seem totally weird.  Is there such a thing?



> Frank
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Charles Sprickman
> Sent: Thursday, September 18, 2014 8:56 PM
> To: cisco-nsp at puck.nether.net NSP
> Subject: [c-nsp] Bulk applying filters to subinterfaces
> So we're a bit odd in that our small cadre of DSL subs don't use PPPoE or
> even DHCP (these are mainly business customers).  This is mostly just
> inertia - static setup works, we have a system for adding circuits that
> works, etc.
> So we have a GigE interface, and each sub comes in on a VLAN.  Our CLEC
> deals with the ATM to ethernet conversion, so these really just look like a
> bunch of plain old ethernet VLANs.
> Our problem is the our CLEC supplies the CPE.  A large number of them are
> broken in fun ways - for example, they run UPNP, a DNS recursor and an NTP
> server.  Guess what happens if you configure these services to only listen
> on the LAN?  Well, it still listens on the WAN side.  And UPNP is more fun,
> disabling the service does not disable it.
> So we now have customers being used in DDoS attacks as amplifiers (UPNP is
> apparently the hot new thing).  I need to basically drop an access list on
> every sub.  If we were running PPPoE, this would be easy, just make it part
> of the cloned template.
> Are there any cool tricks that cover plain old ethernet subinterfaces that
> would allow me to add an access-list to all of them in one fell swoop?
> Thanks,
> Charles
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list