[c-nsp] access-list calling another access-list
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Wed Mar 7 03:08:41 EST 2012
>
> I am trying to devise some acl's and am comming from a linux fw
> background, which allowed me to split my acl's into seperate tables
and
> effectively call one from the other. [...]
>
> I realise there's got to be a cisco way of doing this, and I'd
> appreciate any pointers anyone cares to share.
ACLs are used for a variety of things, so there is a "it depends"
answer: you can achieve the splitting (via route-maps and policies) when
you deal with ACLs for routing, however interface/traffic ACLs can't be
split this way, you can only apply a single ACL as an input/output ACL
to an interface. When it comes to firewall filtering, PIX/ASAs support
object groups which you can use to compile your ACLs, and one could also
aruge that the Zone-based IOS FW's class-maps for traffic classification
also allow a more modular approach.
hope this helps..
oli
More information about the cisco-nsp
mailing list