Maybe start using object-groups? -Blake
On Tue, Dec 11, 2012 at 1:19 PM, Mike <mike-cisconspl...@tiedyenetworks.com>wrote: > Hi, > > I tried asking this question another way and don't think I made it > clear what or why it was needed. > > I am an ISP and I have been seeing a customer IP address being > targeted for a DDoS which appears to be an dns amplification attack. I > checked the ip's of the servers sending packets and they all appear to be > legitimate recusive resolvers that unfortunately don't limit queries to > their own customer networks. On my side, I would like to impose a rule for > this single customer that no dns traffic - other than from my own resolvers > - is forwarded between this customer and the network. The customer is > terminated with PPPoE on a 7201 and they have radius profile entry that > includes 'Filter-Id' which contains a basic home user filter to deny crap > traffic such as rfc1918 and such. I would like to be able to add an > additional filter on top of this which includes deny all port 53 except > to/from my servers. I don't want to cut/paste and create a new access list > for this customer, I just want to be able to add some additional rules on > top of the default filter set. Surely there has to be a way to do this? > > Mike- > ______________________________**_________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/**mailman/listinfo/cisco-nsp<https://puck.nether.net/mailman/listinfo/cisco-nsp> > archive at > http://puck.nether.net/**pipermail/cisco-nsp/<http://puck.nether.net/pipermail/cisco-nsp/> > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/