[128871] in North American Network Operators' Group
Re: (cisco, or any) acl *reducers* out there?
daemon@ATHENA.MIT.EDU (George Michaelson)
Wed Aug 18 23:43:41 2010
From: George Michaelson <ggm@apnic.net>
In-Reply-To: <m2pqxfe0gr.wl%randy@psg.com>
Date: Thu, 19 Aug 2010 13:43:32 +1000
To: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 19/08/2010, at 1:38 PM, Randy Bush wrote:
> one more comment. be careful aggregating filters. the peer may
> actually announce all those damed frags, especially in massively
> de-aggregated places such as india, indonesia, ...
>=20
> randy
I should have been clearer that I really only want to aggregate ACLs =
like a port-22 ssh filter which has an endless list of specific /32, or =
the 'we don't like inbound UDP' -where it logically made sense. So if =
you happen to have an overarching UDP 'established' class rule, then its =
order compared to other rules might or might not make them useless.
Route filtering is best done by professionals. Always read the =
instructions on the packet.
(Your oven may be in centigrade, not fahrenheit, and the cup size varies =
by economy.)
-George=
