[cisco-bba] isolate virtual access interfaces
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Fri Jul 7 01:07:27 EDT 2006
side note: Option #2 would allow you to plug in an Infrastructure ACL,
i.e. protecting your core network infrastructure addresses..
oli
Arie Vayner <> wrote on Thursday, July 06, 2006 11:35 PM:
> Option #2 would block the packets earlier in the process,
> theoretically using less resources. On HW based platforms I think it
> would be the same.
>
> Effectively, I do not think there is a big difference...
>
> Arie
>
> On 7/6/06, Tassos Chatzithomaoglou <achatz at forthnet.gr> wrote:
>> Something else too...
>> If the vtemplate gets its ips from 192.168.1.0/24, would there be
>> any actual difference between the following two:
>>
>> 1)
>> access-list 100 deny ip 192.168.1.0 0.0.0.255 any
>> access-list 100 permit ip any any
>>
>> int virtual-template 100
>> ip access-group 100 out
>>
>> 2)
>> access-list 100 deny ip any 192.168.1.0 0.0.0.255
>> access-list 100 permit ip any any
>>
>> int virtual-template 100
>> ip access-group 100 in
>>
>>
>> Tassos Chatzithomaoglou wrote on 6/7/2006 21:32:
>>>
>>>
>>> Arie Vayner wrote on 6/7/2006 20:33:
>>>> Tassos,
>>>>
>>>> A few ideas:
>>>>
>>>> 1. Configure an ACL in the vtemplate blocking all egress traffic
>>>> with sources from the forbidden range.
>>>>
>>>
>>> That seems an easy one.
>>> I still wonder why i didn't think of this one before.
>>>
>>> Thanks Arie ;)
>>>
>>> --
>>> Tassos
>>>
>>>> 2. Configure a route-map for all traffic received over the ppp
>>>> sessions, pointing all the traffic to an upstream firewall (which
>>>> is next-hop of the LNS), and apply a similar policy as (1).
>>>>
>>>> Arie
>>>> CCIE#12198
>>>>
>>>> On 7/6/06, Tassos Chatzithomaoglou <achatz at forthnet.gr> wrote:
>>>>> Is there an easy way of making all the vpdn sessions terminating
>>>>> under a common vtemplate (through
>>>>> l2tp) not to be able to see each other (but continue to have
>>>>> access to everywhere else)?
>>>>>
>>>>> --
>>>>> Tassos
>>>>> _______________________________________________
>>>>> cisco-bba mailing list
>>>>> cisco-bba at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-bba
>>>>>
>>>>
>>>
>>>
>>
>> --
>> ***************************************
>> Tassos Chatzithomaoglou
>> Network Design & Development Department
>> FORTHnet S.A.
>> <achatz at forthnet.gr>
>> ***************************************
>> _______________________________________________
>> cisco-bba mailing list
>> cisco-bba at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-bba
>>
> _______________________________________________
> cisco-bba mailing list
> cisco-bba at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba
More information about the cisco-bba
mailing list