[nsp] Favorite access lists

Stephen Gill gillsr@yahoo.com
Thu, 26 Sep 2002 19:42:25 -0500


Hi Sean,
I agree that standardization is a good thing, but in all honesty, I'd
rather see ISP cooperation on:

- customer anti-spoofing
- bogon filters
- BGP peer filters
- etc...

I would think these numbering conventions also tend to break down when
working with other gear from other vendors.  A lot can be said for using
named ACLs which can provide a quick description of their purpose.  

-- steve

-----Original Message-----
From: cisco-nsp-admin@puck.nether.net
[mailto:cisco-nsp-admin@puck.nether.net] On Behalf Of Sean Donelan
Sent: Thursday, September 26, 2002 2:56 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [nsp] Favorite access lists


I agree the number is technically meaningless, however the power of
convention is strong. Following commonly used conventions speeds up
training new engineers, and helps prevent "accidents" when dealing with
vendor support if you follow commonly used conventions.  You can
re-configure almost every convention, like re-mapping the keyboard or
using a different identation style, but it slows people down.

Usually a provider will use the same access-list number across their
entire network to control access to the vty's, or the same access list
for DDOS tracking.  I was wondering, with the movement of network
engineers from provider to provider, whether any of those conventions
had become common across larger parts of the ISP industry.

bgp filter 112
deny any access list 199
ddos tracking access list 169
vty access list 1
snmp RO access list 10
snmp RW access list 11


On Wed, 25 Sep 2002, Josh Duffek wrote:
> unless you are running into some silly IOS bug there is absolutely no
> correlation between the ACL number and the actual filters that it
applies.
>
> its probably people copying sample configs...my favorite is 150 though
:)
>
> > Of course, an access-list is just an access-list.  But there seem
> > to be some "well-known" access-list conventions among ISPs.  Say
> > access-list 112, and folks know its probably a inbound BGP route
prefix
> > filter.  Access-list 199 is probably a "deny any any".  Instead of
> > re-inventing things, any suggestions for other well known
conventions
> > for access lists?

_______________________________________________
cisco-nsp mailing list  real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/