I'm sorry - but the Right Thing (tm) to do is to ingress filter, as I have already evangelized. Like it or not. - paul At 08:13 PM 11/22/97 +0000, Alex Bligh wrote:
Um, if your concentrator router has one interface per L/L customer (or one subinterface per customer), you *do* need to add another line to the extended ACL for each new subinterface added, which looks like
access-list 164 deny ip n.n.n.n 0.0.0.0 n.n.n.n 0.0.0.0
where n.n.n.n is the ip address of the new subinterface on the concentrator router, because the ACL has one line per (sub)interface on the router.
However many of us (I think) don't run with a new subinterface for each new customer, and a still easier fix is to upgrade to one of the non-vulnerable IOS versions (there being at least one for each of 10.3, 11.0, 11.1 & 11.2).
-- Alex Bligh GX Networks (formerly Xara Networks)