I used the ones Cisco outlined in their document IOS Essentials every ISP
Should Know. Here is a copy of the list I use for out clients:deny ip host 0.0.0.0 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
deny ip xxx.xxx.xxx.0 0.0.0.255 any log
deny ip 224.0.0.0 31.255.255.255 any logWe are denyingy anyone that claims that their IP address is 0.0.0.0,
Loopback addresses, all of the RFC 1918 addresses, address coming into us
claiming they belong to our subnet, and multicast addresses. It seems to
work for us. I also turn of ip directed broadcasts to minimize smurf/DoS
attacks. If you would like a copy of the document I used, let me know and
I'll e-mail a copy to you.
Its also useful to block
192.0.2.0/24 - the test network. so designated for documentation use
169.254.0.0/16 - the link-local network.
I'm not convinced that blocking native multicast is a good idea.
--bill