Is there a way to globally protect all inbound interfaces on a router via ACL
(specifically hundreds of frame/sub-interfaces) without applying the same ACL
to each individual interface?
Is the "line vty" config only for telnet/ssh, etc. or is it the magic global
that I'm looking for?
I'd post this on inet-access but this is where the conversation is taking
place.
Thanks,
Rick
Is there a way to globally protect all inbound interfaces on a router via ACL
(specifically hundreds of frame/sub-interfaces) without applying the same ACL
to each individual interface?
I believe something like this will work:
no access-l 198
access-list 198 deny 53 any any log-input
access-list 198 deny 55 any any log-input
access-list 198 deny 77 any any log-input
!
access-list 198 permit pim host xx.xx.xx.xx 224.0.0.0 31.255.255.255
!
access-list 198 deny pim any any log-input
access-list 198 permit ip any any
!
!end
replace xx.xx.xx.xx with real ip address if you have PIM running, if you
don't, remove that line.
Is the "line vty" config only for telnet/ssh, etc. or is it the magic global
that I'm looking for?
No. I don't think so.
-Basil @ CIFNet
Depends on the platform; if it is a Cisco GSR or 7500 (w/ sufficiently current IOS), you can look into using a Receive ACL (rACL). The Cisco advisory being sent around in the discussion of the latest vulnerability has a link to more info for Cisco rACLs
- Wayne
Rick Ernst wrote:
Is this true:
http://www.eweek.com/article2/0,3959,1196496,00.asp
**there is a working exploit for this vulnerability but that it has not been
released yet.**