I was *extremely* unclear in what I sent since I was running out the door. Most cisco routers run by ISPs (here on NANOG) have at least 50 interfaces (subinterfaces) and usually average 100. Each and every interface/subinterface has to be blocked. So it is either create an extended access list with all 100 individual interface addresses blocked (and update it as new customers get connected) or block by subnet, i.e if all interfaces come from a 255.255.255.252 (/30) subnetted block, then block the whole /24. But then the problem I discussed below creeps up. Any recommendations on how to block this by subnet (assuming the router side always has the same bit position in the subnet)?
you still do not get it. NO PER-CUSTOMER CHANGE! for each interface on a router block tcp which is both to and from that interface the problem, of course, is the performance hot for packet filters on OC3s etc. randy