[nsp] Favorite access lists

Sean Donelan sean@donelan.com
Thu, 26 Sep 2002 15:55:54 -0400 (EDT)


I agree the number is technically meaningless, however the power of
convention is strong. Following commonly used conventions speeds up
training new engineers, and helps prevent "accidents" when dealing with
vendor support if you follow commonly used conventions.  You can
re-configure almost every convention, like re-mapping the keyboard or
using a different identation style, but it slows people down.

Usually a provider will use the same access-list number across their
entire network to control access to the vty's, or the same access list
for DDOS tracking.  I was wondering, with the movement of network
engineers from provider to provider, whether any of those conventions
had become common across larger parts of the ISP industry.

bgp filter 112
deny any access list 199
ddos tracking access list 169
vty access list 1
snmp RO access list 10
snmp RW access list 11


On Wed, 25 Sep 2002, Josh Duffek wrote:
> unless you are running into some silly IOS bug there is absolutely no
> correlation between the ACL number and the actual filters that it applies.
>
> its probably people copying sample configs...my favorite is 150 though :)
>
> > Of course, an access-list is just an access-list.  But there seem
> > to be some "well-known" access-list conventions among ISPs.  Say
> > access-list 112, and folks know its probably a inbound BGP route prefix
> > filter.  Access-list 199 is probably a "deny any any".  Instead of
> > re-inventing things, any suggestions for other well known conventions
> > for access lists?