Sean Donelan wrote:
It gets even worse. Cisco has hard-coded the list of Bogons into some of its latest low-end IOS versions as part of its "auto-secure" feature. Yes, Cisco includes warnings in the manual the user should check the official list at IANA; but I also know the power of defaults. People upgrade their IOS versions even less often then they update their Windows boxes. So we're going to see chunks of the net blocked depending on the release date of versions of IOS.
Adam Debus wrote:
Do you have a reference page as to what platforms/releases/release trains that is being applied to?
Seems like it might be a handy list to have bookmarked. :)
Per http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_feature_ guide09186a008017d101.html, it was introduced in 12.3 mainline. It's anyone's guess where it will end up from there but note that it's already in a service provider train (12.2(18)S). So we may (or probably will?) end up with ISP's using the bogon-list feature as well. If one upgrades from version A of Autosecure-enabled IOS to version B of Autosecure-enabled IOS, will the bogon-list ACLs in the device's configuration be automatically updated? Or will the user have to disable and then re-enable Autosecure? Is this progress? Or is this something that "seemed like a good idea at the time"? -Terry