From: Guyler, Rik (rguyler@shp-dayton.org)
Date: Wed Jul 27 2005 - 13:06:22 GMT-3
I'm coming up blank on this so I'll post it to the collective:
I'm looking at our primary VPN router and the ACL for inbound traffic is
getting out of control plus it's not modular enough for when I have to make
additions. Im using the "ip access-list extended" syntax so I can go in and
modify to my heart's content but still, after many hundreds of entries it's
getting ugly. If I have to make an addition to the list, I like to keep all
the entries for the same vendor together but that requires getting creative
with the sequnce numbers at times, espcially if I have to add many entries
for the same vendor.
My question is this: is there any way to nest ACLs without using reflexive
ACLs? For example, on a PIX it's possible to create object groups so your
modifications are much more modular. If you need to modify the ACL for a
specific tunnel you could just modify the object group without worrying
about how it affects the entire ACL. If I could setup individual ACLs (or
objects) for each VPN peer then call those within another all-inclusive ACL
that gets applied to the interface, it would be much easier to manage. Any
ideas how to do this?
Thanks
Rik
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:31 GMT-3