Unfortunately I'm not in the position to dictate which routers my residential subscribers use on their broadband connection, and the quantity of subs (over 1000) makes forcing them to remediate nigh impossible. In fact, there may not be vendor code to resolve it.
So while in general I agree with your position (which I've seen you argue before), in practice, in this case, it's not cost effective to implement it. For open NTP and SNMP we are contacting customers and having them resolve it. Almost 100% of the time that's a configuration issue, not a firmware issue. Frank -----Original Message----- From: cisco-nsp [mailto:[email protected]] On Behalf Of Roland Dobbins Sent: Monday, August 04, 2014 8:09 PM To: [email protected] Subject: Re: [c-nsp] Simple ACL not working 7600 On Aug 5, 2014, at 7:17 AM, Frank Bulk <[email protected]> wrote: > I applied an ACL on our CMTS last week and that was very effective in resolving that gap You do understand that this is going to randomly break stuff for your subscribers, yes? The best way to resolve this issue is to remediate the abusable CPE and/or work with customers to get it remediated, if it isn't CPE you own/operate. If you have to do this temporarily whilst remediation is taking place, herding the abusable CPE together in terms of CIDR blocks and then doing this only for the CIDR blocks in question will minimize the scope of any collateral issues. But blocking high ports towards your subscribers as a permanent blanket policy causes problems and isn't the way to permanently resolve issues of this nature. ---------------------------------------------------------------------- Roland Dobbins <[email protected]> // <http://www.arbornetworks.com> Equo ne credite, Teucri. -- Laocoön _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
