[cisco-bba] isolate virtual access interfaces

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Fri Jul 7 01:07:27 EDT 2006


side note: Option #2 would allow you to plug in an Infrastructure ACL,
i.e. protecting your core network infrastructure addresses..

	oli

Arie Vayner <> wrote on Thursday, July 06, 2006 11:35 PM:

> Option #2 would block the packets earlier in the process,
> theoretically using less resources. On HW based platforms I think it
> would be the same.
> 
> Effectively, I do not think there is a big difference...
> 
> Arie
> 
> On 7/6/06, Tassos Chatzithomaoglou <achatz at forthnet.gr> wrote:
>> Something else too...
>> If the vtemplate gets its ips from 192.168.1.0/24, would there be
>> any actual difference between the following two: 
>> 
>> 1)
>> access-list 100 deny ip 192.168.1.0 0.0.0.255 any
>> access-list 100 permit ip any any
>> 
>> int virtual-template 100
>>   ip access-group 100 out
>> 
>> 2)
>> access-list 100 deny ip any 192.168.1.0 0.0.0.255
>> access-list 100 permit ip any any
>> 
>> int virtual-template 100
>>   ip access-group 100 in
>> 
>> 
>> Tassos Chatzithomaoglou wrote on 6/7/2006 21:32:
>>> 
>>> 
>>> Arie Vayner wrote on 6/7/2006 20:33:
>>>> Tassos,
>>>> 
>>>> A few ideas:
>>>> 
>>>> 1. Configure an ACL in the vtemplate blocking all egress traffic
>>>> with sources from the forbidden range.
>>>> 
>>> 
>>> That seems an easy one.
>>> I still wonder why i didn't think of this one before.
>>> 
>>> Thanks Arie ;)
>>> 
>>> --
>>> Tassos
>>> 
>>>> 2. Configure a route-map for all traffic received over the ppp
>>>> sessions, pointing all the traffic to an upstream firewall (which
>>>> is next-hop of the LNS), and apply a similar policy as (1).
>>>> 
>>>> Arie
>>>> CCIE#12198
>>>> 
>>>> On 7/6/06, Tassos Chatzithomaoglou <achatz at forthnet.gr> wrote:
>>>>> Is there an easy way of making all the vpdn sessions terminating
>>>>> under a common vtemplate (through
>>>>> l2tp) not to be able to see each other (but continue to have
>>>>> access to everywhere else)? 
>>>>> 
>>>>> --
>>>>> Tassos
>>>>> _______________________________________________
>>>>> cisco-bba mailing list
>>>>> cisco-bba at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-bba
>>>>> 
>>>> 
>>> 
>>> 
>> 
>> --
>> ***************************************
>>          Tassos Chatzithomaoglou
>> Network Design & Development Department
>>               FORTHnet S.A.
>>           <achatz at forthnet.gr>
>> ***************************************
>> _______________________________________________
>> cisco-bba mailing list
>> cisco-bba at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-bba
>> 
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba



More information about the cisco-bba mailing list