On Wed, Dec 20, 2000 at 10:57:16PM -0000, Firewalls-Digest wrote: > Date: Wed, 20 Dec 2000 12:30:19 -0800 > From: Buddy Venne <[EMAIL PROTECTED]> > Subject: RE: Recommended blocking for Internet-router > > Matt, all - > I have in my notes to block this also: > deny ip 255.0.0.0 0.255.255.255 any log > > But you cover that with your Class E deny statement, so would it make sense > to cover "D" and "E" in one statement? > > e.g. deny ip 224.0.0.0 31.255.255.255 any log ! to cover 224-255 > > On a separate question: > Any ideas why cisco would recommend "no ip route cache" on a perimeter > router like this? > Buddy, Fast-switching [ip route-cache] caches route information in relation to outbound interfaces. In the past, Cisco had problems with this also in certain cases bypassing access-lists. Erg. Anyways, here's an old CERT advisory from 1992 regarding the problem. There may be newer issues -- I'm not sure. Use process switching (no ip route-cache) instead of fast-switching depending on your level of paranoia. http://www.cert.org/advisories/CA-1992-20.html -- Matt Hite Evite.com Senior Systems Administrator E: [EMAIL PROTECTED] P: 415.343.3681 - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
