Land and Cisco question

> So it is either create an
> extended access list with all 100 individual interface addresses blocked

you still do not get it. NO PER-CUSTOMER CHANGE!

for each interface on a router
  block tcp which is both to and from that interface

Um, if your concentrator router has one interface per L/L customer (or
one subinterface per customer), you *do* need to add another line to
the extended ACL for each new subinterface added, which looks like

access-list 164 deny ip n.n.n.n n.n.n.n

where n.n.n.n is the ip address of the new subinterface on the
concentrator router, because the ACL has one line per (sub)interface
on the router.

However many of us (I think) don't run with a new subinterface for
each new customer, and a still easier fix is to upgrade to one of
the non-vulnerable IOS versions (there being at least one for
each of 10.3, 11.0, 11.1 & 11.2).

I'm sorry - but the Right Thing (tm) to do is to
ingress filter, as I have already evangelized.

Like it or not.

- paul