ghe2001 wrote: > Buster, Cisco IOS router, T1 connection. But it probably doesn't matter.
(an actual T1? really? Not even a PRI? Yes, this is irrelevant to your question) > I have a /31 transit net (n.n.n.40 to 43) to my ISP. I had everything to/from > that net allowed, but I was getting strange hits to odd ports. So, in the > border ACL, I allowed 41 and 42, then blocked the entire net to see what was > going on. Now I see no traffic on 41 or 42, but lots of activity on 40 and 43 > (the edges, that my understanding says aren't used for anything on the > transit net). Better show us the actual ACL you put in. What you describe is a /30, not a /31. I don't know why you think that the ISP won't send you traffic for the 40 and 43 addresses. While it's technically the case that the first address in a block is "for the router" and the last is "for broadcast", people upstream don't know that and are just spraying traffic at you, which your router is noting. > Homework: I asked my ISP (last week and no reply yet). I've looked at the web > and at my books on IP networking. I couldn't find an answer. > > Question 0: Why are IPs 41 and 42 not showing any activity? My current guess > is that traffic on those IPs hits the Internet interface and is sucked up > before the packets get to the ACL. I don't quite know what you mean. Are you routing them somewhere in particular? > Question 1: Have I done something untoward and the ISP is trying to do > something with the edges (their alive probes use ICMP to an IP on my T1 net), > or are the edges being hit by script kiddies? Or something else that I don't > understand at all? Random traffic is random traffic. The IPv4 is only 4 billion addresses, people scan the whole thing every day. -dsr- > Question 2: Since I see nothing happening on the important IPs, can I just > not say anything one way or the other about the transit net and let those > packets hit the end of the ACL and be denied? You are always free to drop packets, especially if you don't want them. -dsr-
