Darren Reed previously wrote:
>In some mail from Tony Li, sie said:
>> Then yes, there is a small window during the parsing of the access
>> list during which you're exposed.
>> A better technique is to change the access group on the interface.
>I assume what you mean is you upload 102, set the interface to use 102,
>then upload the new 101, set it back to that and delete 102 ? (And do
>the same for each interface). Or even use the access group numbers
>in a revision number style ?
I like setting up my Cisco access-lists like this (firewall lists for a 2514):
110 is output filter for Ether0
111 is output filter for Ether0
112 is input filter for Ether0
113 is input filter for Ether0
120 is output filter for Ether1
121 is output filter for Ether1
122 is input filter for Ether1
123 is input filter for Ether1
130 is output filter for Serial0
131 is output filter for Serial0
132 is input filter for Serial0
133 is input filter for Serial0
and so on. There's two reserved for each interface/filtering-type so I
can easily update the lists, config term or config net (gotta be careful
with config net: don't forget the 'no <command>' stuff, or else use
config over followed by a reload (or use the newer config file managment
commands instead of 'config net' and 'config over').
I use access-lists in the 70-89 and 170-189 ranges for IGP route
filtering internally (and for use in route-maps), with the 90-99 and
190-199 ranges for BGP route filtering. 195 is usually for filtering BGP
updates from in-to-out, with 196 being the same but suppressing holes in
aggregates.
If you're dealing with Cisco-like filter naming madness, I recommend you
come up with a system and stick by it. It'll save you often.
>darren
>
>[P.S. A few people expressed concerns about this with IP filter which
> led me to implementing it looking after two sets of rules: active
> and inactive. Idea here is load a new set and switch and yes,
> is part of the current version, 2.7.1.]
Cisco? Are you reading this? Please make our lives easier, :)
Nick
|
|
