Perhaps to combat this, unless I'm missing something, one could justifiably
deploy GRE filters with source & destination addresses of the exchange
subnets. Filtering GRE in general seems nothing more than foolish.
-danny
[snip]
(we certainly allow GRE packets and expect everyone else does, too)
Perhaps to combat this, unless I'm missing something, one could justifiably
deploy GRE filters with source & destination addresses of the exchange
subnets. Filtering GRE in general seems nothing more than foolish.
Or the tunnel termination addresses, which while might be tighter, would
probably make the ACLs longer or more complex.
What's the point of this? Wouldn't it make more sense to just run a
sniffer on the exchange fabric looking for such GRE tunnels and then
kick the offending parties out of the exchange? Seems to me this has
happened at least once at LINX.