[nsp] Favorite access lists

Chris Whyte cwhyte@microsoft.com
Thu, 26 Sep 2002 13:48:59 -0700


Sean,

I think you make an excellent point. I'm not completely aware to the
extent that ACL, prefix-list and filter-list (named and numbered)
conventions exist today within the ISP community. However, making sure
they do exist and are published appropriately would add tremendous value
to simplifying the operations of our collective infrastructures, imho.=20

Sounds like a good (informational) RFC to me...

Thanks,

Chris=20

> -----Original Message-----
> From: Sean Donelan [mailto:sean@donelan.com]=20
> Sent: Thursday, September 26, 2002 12:56 PM
> To: cisco-nsp@puck.nether.net
> Subject: Re: [nsp] Favorite access lists
>=20
>=20
>=20
> I agree the number is technically meaningless, however the power of
> convention is strong. Following commonly used conventions speeds up
> training new engineers, and helps prevent "accidents" when=20
> dealing with
> vendor support if you follow commonly used conventions.  You can
> re-configure almost every convention, like re-mapping the keyboard or
> using a different identation style, but it slows people down.
>=20
> Usually a provider will use the same access-list number across their
> entire network to control access to the vty's, or the same access list
> for DDOS tracking.  I was wondering, with the movement of network
> engineers from provider to provider, whether any of those conventions
> had become common across larger parts of the ISP industry.
>=20
> bgp filter 112
> deny any access list 199
> ddos tracking access list 169
> vty access list 1
> snmp RO access list 10
> snmp RW access list 11
>=20
>=20
> On Wed, 25 Sep 2002, Josh Duffek wrote:
> > unless you are running into some silly IOS bug there is=20
> absolutely no
> > correlation between the ACL number and the actual filters=20
> that it applies.
> >
> > its probably people copying sample configs...my favorite is=20
> 150 though :)
> >
> > > Of course, an access-list is just an access-list.  But there seem
> > > to be some "well-known" access-list conventions among ISPs.  Say
> > > access-list 112, and folks know its probably a inbound=20
> BGP route prefix
> > > filter.  Access-list 199 is probably a "deny any any".  Instead of
> > > re-inventing things, any suggestions for other well known=20
> conventions
> > > for access lists?
>=20
> _______________________________________________
> cisco-nsp mailing list  real_name)s@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>=20