[cisco-bba] isolate virtual access interfaces

Arie Vayner ariev at vayner.net
Thu Jul 6 17:34:55 EDT 2006 

Option #2 would block the packets earlier in the process,
theoretically using less resources. On HW based platforms I think it
would be the same.

Effectively, I do not think there is a big difference...

Arie

On 7/6/06, Tassos Chatzithomaoglou <achatz at forthnet.gr> wrote:
> Something else too...
> If the vtemplate gets its ips from 192.168.1.0/24, would there be any actual difference between the
> following two:
>
> 1)
> access-list 100 deny ip 192.168.1.0 0.0.0.255 any
> access-list 100 permit ip any any
>
> int virtual-template 100
>   ip access-group 100 out
>
> 2)
> access-list 100 deny ip any 192.168.1.0 0.0.0.255
> access-list 100 permit ip any any
>
> int virtual-template 100
>   ip access-group 100 in
>
>
> Tassos Chatzithomaoglou wrote on 6/7/2006 21:32:
> >
> >
> > Arie Vayner wrote on 6/7/2006 20:33:
> >> Tassos,
> >>
> >> A few ideas:
> >>
> >> 1. Configure an ACL in the vtemplate blocking all egress traffic with
> >> sources from the forbidden range.
> >>
> >
> > That seems an easy one.
> > I still wonder why i didn't think of this one before.
> >
> > Thanks Arie ;)
> >
> > --
> > Tassos
> >
> >> 2. Configure a route-map for all traffic received over the ppp
> >> sessions, pointing all the traffic to an upstream firewall (which is
> >> next-hop of the LNS), and apply a similar policy as (1).
> >>
> >> Arie
> >> CCIE#12198
> >>
> >> On 7/6/06, Tassos Chatzithomaoglou <achatz at forthnet.gr> wrote:
> >>> Is there an easy way of making all the vpdn sessions terminating
> >>> under a common vtemplate (through
> >>> l2tp) not to be able to see each other (but continue to have access
> >>> to everywhere else)?
> >>>
> >>> --
> >>> Tassos
> >>> _______________________________________________
> >>> cisco-bba mailing list
> >>> cisco-bba at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/cisco-bba
> >>>
> >>
> >
> >
>
> --
> ***************************************
>          Tassos Chatzithomaoglou
> Network Design & Development Department
>               FORTHnet S.A.
>           <achatz at forthnet.gr>
> ***************************************
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba
>

More information about the cisco-bba mailing list