On 12 Mar 2002, at 11:18, james wrote: > I am seeking to use ACL's to block the outbound traffic on private > addresses that many of our remote POP's are producing. Remote POP's > consist of a Cisco router (2500/2600's) and various access servers. > I understand it is better to filter this at the source of the > problem and not the exterior gateways. At the remote POP, should I > apply these ACL's (Blocking 10.0.0.0, ect private networks) to the > Ethernet interface, incomming or the serial interfaces, outgoing ? > Serial interfaces would be the T-1 connections to the outside > network and Ethernet interface is how the access servers are > connected (via a switch) to the access servers. > > james
Since it is desirable to block packets SOURCED FROM private IPs (since responses won't be routable back to them...) as well as those directed TO them, use Extended ACLs which can filter on source as well as destination. This also means that you can place the ACLs as near the source of the blocked packets as possible, which I think you are saying is the Ethernet side. Consider also that if you are going to block packets with ACLs, blocking them inbound means you don't spend a bunch of resources trying to route them and THEN deciding to block them. Dave Gillett _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
