[nsp] acl's/crypto-map/prefix-list improvements

From: kevin graham (kgraham@dotnetdotcom.org)
Date: Thu Oct 11 2001 - 12:27:43 EDT


Does anyone know if there's a feature roadmap for enhanced packet matching
logic? In prepping a fresh round of small routers to head to offices, I
was reminded of a few things:

  * Routing IPSec tunnels in IOS. Ugh. The GRE-over-IPSec solution is so
broken for getting route availability metrics for ipsec tunnels. It
occured to me though, that with a virtual-link, ospf could be shared
between to ESP endpoints. Given that, a 'crypto-map match route-map'
(along with an ACL to alway encrypt router-router traffic) could allow
dynamic routing into the ESP tunnel w/o the GRE kludge.

  * Inclusionary ('(config-ext-nacl)# permit access-list FOO') or
sequenced ACL's (ala route-map's -- (config)# ip access-list 10;
(config)# ip access-list 20). This is primarily motivated by Rob Thomas's
secure ios template.. As tempted as I am w/ every new config I put
together, I always dred having to filter out my site-specific stuff from
all the rest. Being able to group these independently and share generic
acl's (ie icmp type permit/deny's) would really clean up configs...
   -- even an 'ip access-list list-of-lists FOO' would cut it, if someone
was concerned about stupid customer tricks and infinite recursion.

 * Barring the previous item, being able to utilize an 'ip prefix-list' in
an ext acl would be great for things like Rob's bogon list (esp. if one
took the time to aggregate it). ...but I'm not sure if this holds to the
spirit and intent of prefix-lists.

 * further use of named access lists. The only two places I'm thinking of
is 'snmp-server community', 'snmp-server tftp-server-list', and
'tftp-server'. Not that its a big deal at all, but it always bothers me
having to use numbered acl's for those when the entire rest of a config is
using nice, well-named named acl's.

Blegh. I don't have anywhere near the installed base for csco to give an
inkling of concern about our feature requests, but I thought I'd air this
to see if anyone else shared these sentiments or knew any future plans (or
could point out how ignorant of an idea they were was so I could stop
caring)..

..kg..



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:19 EDT