[nsp] Favorite access lists

Scott Weeks surfer@mauigateway.com
Fri, 27 Sep 2002 11:49:52 HST


> bgp filter 112
> deny any access list 199
> ddos tracking access list 169
> vty access list 1
> snmp RO access list 10
> snmp RW access list 11



I gotta admit, you hit several of what we used at Digital Island.  Convention is indeed strong...

scott





> > -----Original Message-----
> > From: Sean Donelan [mailto:sean@donelan.com]
> 
> > Sent: Thursday, September 26, 2002 12:56 PM
> > To: cisco-nsp@puck.nether.net
> > Subject: Re: [nsp] Favorite access lists
> > 
> > 
> > 
> > I agree the number is technically meaningless, however the power of
> > convention is strong. Following commonly used conventions speeds up
> > training new engineers, and helps prevent "accidents" when 
> > dealing with
> > vendor support if you follow commonly used conventions.  You can
> > re-configure almost every convention, like re-mapping the keyboard or
> > using a different identation style, but it slows people down.
> > 
> > Usually a provider will use the same access-list number across their
> > entire network to control access to the vty's, or the same access list
> > for DDOS tracking.  I was wondering, with the movement of network
> > engineers from provider to provider, whether any of those conventions
> > had become common across larger parts of the ISP industry.
> > 
> > bgp filter 112
> > deny any access list 199
> > ddos tracking access list 169
> > vty access list 1
> > snmp RO access list 10
> > snmp RW access list 11
> > 
> > 
> > On Wed, 25 Sep 2002, Josh Duffek wrote:
> > > unless you are running into some silly IOS bug there is 
> > absolutely no
> > > correlation between the ACL number and the actual filters 
> > that it applies.
> > >
> > > its probably people copying sample configs...my favorite is 
> > 150 though :)
> > >
> > > > Of course, an access-list is just an access-list.  But there seem
> > > > to be some "well-known" access-list conventions among ISPs.  Say
> > > > access-list 112, and folks know its probably a inbound 
> > BGP route prefix
> > > > filter.  Access-list 199 is probably a "deny any any".  Instead of
> > > > re-inventing things, any suggestions for other well known 
> > conventions
> > > > for access lists?
> > 
> > _______________________________________________
> > cisco-nsp mailing list  real_name)s@puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> _______________________________________________
> cisco-nsp mailing list  real_name)s@puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/