OT: Using MQC nesting for access-control.... - Take 2

From: Con Spathas (con@spathas.net)
Date: Fri Jul 06 2007 - 11:12:15 ART

• Next message: "don't: "NetFlow on 3560"
• Previous message: Dave Williams: "RE: MPLS CE-PE EIGRP routing for backdoor links"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Group,

I'm not sure if this post came through yesterday so apologies is this is a
double-post!
 
I'd like your feedback on whether the following would be considered a valid
production solution or whether I'm missing something here. I have tested the
config below in a small lab and it "appears" to work but not sure if doing
this in production would be "safe" in terms of security and performance.
Perhaps I'm trying to over engineer everything and there may be a simpler
way to achieve this (aside from having 2 separate ACLs). Why make it easy?
;)
 
As we know to filter inbound traffic you'd define your ACL and apply it to
the interface using an access-group.
However what I'd like to do is use a service-policy inbound instead to
leverage on MQC nesting capabilities and reduce the administrative overhead
of having multiple ACLs that have the same information - save for a few
differences at the end.
 
This is the scenario - R1 has p2p connection to ISP1 and ISP2. R1 must block
traffic common to both ISP1, ISP2 (say RFC1918 and Bogons) but then allow
only traffic from subnets specifically routed by the ISP. No BGP is running
- just static routing. The goal is to have a single ACL matching unwanted
traffic, and then ACLs specific to traffic from each ISP.
 
Something along the lines of:
 
------

ip access-list extended COMMON_ACL
  permit src RFC/Bogon dst any <---- what I want dropped
  deny src/dst any <---- policy-map lets through

ip access-list extended ISP1_ACL
  deny src any dst ISP1_Routed_Subnets <---- ISP1 traffic I want let
through
  permit src/dst any <---- policy-map drops everything
else
  
ip access-list extended ISP2_ACL
  deny src any dst ISP2_Routed_Subnets <---- ISP2 traffic I want let
through
  permit src/dst any <---- policy-map drops everything
else

class-map match-all COMMON_CLASS
 match access-group name COMMON_ACL

class-map match-all ISP1_CLASS
 match access-group name ISP1_ACL

class-map match-all ISP2_CLASS
 match access-group name ISP2_ACL

policy-map ISP1_POLICY
 class COMMON_CLASS
   drop
 class ISP1_CLASS
   drop

policy-map ISP2_POLICY
 class COMMON_CLASS
   drop
 class ISP2_CLASS
   drop

Interface to ISP1
 service-policy input ISP1_POLICY

Interface to ISP1
 service-policy input ISP2_POLICY

------

Please be gentle! Any feedback appreciated. ;)

Cheers,
Con...

• Next message: "don't: "NetFlow on 3560"
• Previous message: Dave Williams: "RE: MPLS CE-PE EIGRP routing for backdoor links"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:40 ART