From: Jennifer Bellucci (jennifer_bellucci@hotmail.com)
Date: Sat Apr 12 2003 - 13:55:41 GMT-3
Hi People
I was doing some practice on ACL when I cam along a question about filters and
using "as few lines as possible" phrase. Having seen this in the list before,
it got me doing something I can't do to often...thinking.
Question is something like...Enable a filter, that filters FTP + WEB traffic
from 08:00 to 11:59 weekdays and UDP on weekends from 01:00 to 13:00. Use as
few lines as possible, when creating your filter. ( Denying the traffic
mentioned ) You should be able to the filter without having to remove first,
in the future.
Now say we have network :
R1------R2------R3
R1 is running OSPF and R3 is running EIGRP. R2 is performing red for both and
the filter is to be on applied to both protocol interfaces of R2. I know the
filter is 2 lines, I know that, but if I was to apply the filter it would
block the ip updates and such. With no "permit ip any any", I am pretty much
lost. So, if I add this, how can I add to the filter later on when everything
id permitted by the statement before? what about the routing updates. The same
acl has to be activated on 2 interfaces and for 2 different protocols. I then
come to the conclusion that by adding to the filter a specific permit for ospf
and eigrp, everything is OK. Fine, four lines in the filter.2 for the traffic,
2 for the protocols (still with me?). With no permit Ip any any, not all Ip
traffic will pass, will it? what about peering for other protocols not
mentioned? (Say you assumed you had DLSW also running somewhere and it has to
use this link to peer) I don't think so. So I guess you have to add the line.
If we made the IP line more specific, then we would have to add more than one
line, because we don't know what major networks are connected to the EIGRP or
OSPF networks.
After a few minutes, your asked to test your filter, add to filter so that it
stops BGP TCP traffic. With a permit IP any any in the ACL, what do I do?
Can't remove it, how do I structure it so that I can deny the BGP traffic, but
the ACL in the first part must be complete. Normally, if this was a normal lab
I could mix the lines and off I go. Then comes the thing the really gets to
me, use as few lines as possible. With the question specifying 2 confirmed
lines and a third in part 2 of the question, how many lines do I need and
then. Will my filter allows normal required operation at the same time?
Maybe I am looking to deep into the question, or I created a question that is
simply not possible? I don't know.
This is where you come in...help me find a solution. Pretty please with a
cherry on top.
Thanks
Jennifer B"ll{cci 3
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:51 GMT-3