On 06/24/2012 12:02 PM, Gert Doering wrote:
Hi,
On Sat, Jun 23, 2012 at 02:42:04PM -0700, Mike wrote:
I am trying to filter out rfc1918 addresses as either source or
destination addresses for my pppoe connected subscribers. Each
Why not
a) turn on uRPF filtering on the virtual-template
("ip verify unicast reverse")
-> this takes care of *any* garbage source address the customer
might send you, not just RFC1918 space (see also BCP38).
b) null-route the RFC1918 space
-> this takes care of the destination addresses
that way you can get much more benefits with less effort.
gert
Actually I do have urpf for exactly the reason you stated, but thanks. I
had the filter turned around backwards so it was not being very
effective. I added
radius-server attribute 11 default direction in
and suddently the filter started to work as I thought it should, namely,
stop packets from customers to rfc1918 space. Based on your and other
inputs however, I'm beginning to rethink my strategy. I want to be able
to bypass filtering in some cases, and I'd also like to have filtering
based on a dynamic set... it's possible to null route bad destinations,
but can a routing table be used to say 'drop all packets from these
prefixes'?
Thanks.
Mike-
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
