[131893] in North American Network Operators' Group
Re: BGP support on ASA5585-X
daemon@ATHENA.MIT.EDU (Pete Lumbis)
Sun Nov 7 00:54:14 2010
In-Reply-To: <C80B195C2194453EA495AC15BAC41B37@flamdt01>
Date: Sun, 7 Nov 2010 00:54:04 -0400
From: Pete Lumbis <alumbis@gmail.com>
To: Tony Varriale <tvarriale@comcast.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I won't speak to the wrong solution for the wrong market but as far as
large ACLs, I would agree with Tony.
I've seen hundreds of different ASA configurations for a variety of
customers in a variety of markets and generally once you start
reaching the limits of the box you start losing sight of what your
original security policies are.
In almost every (not all) cases that I've seen resource exhaustion due
to ACLs it's almost always gone hand in hand with security policies
that aren't followed well or clear cut (i.e., overlapping security
rules, lack of rule aggregation, not sure why rule X is in there,
things of this nature).
-Pete
On Sat, Nov 6, 2010 at 9:54 AM, Tony Varriale <tvarriale@comcast.net> wrote=
:
>
> ----- Original Message ----- From: "gordon b slater" <gordslater@ieee.org=
>
> To: "Tony Varriale" <tvarriale@comcast.net>
> Cc: <nanog@nanog.org>
> Sent: Saturday, November 06, 2010 4:38 AM
> Subject: Re: BGP support on ASA5585-X
>
>
>> On Fri, 2010-11-05 at 21:50 -0500, Tony Varriale wrote:
>>
>>> <somebody> said:
>>> >They could make it out of the box but this is why Dylan made his
>>> > >statement.
>>>
>>> His statement is far fetched at best. =A0Unless of course he's speaking=
of
>>> 100
>>> million line ACLs.
>>
>> Can I just ask out of technical curiosity:
>>
>
> Well, let me preface this thread with: the previous poster was/is from a
> hosting company. =A0ASAs aren't ISP/Hosting level boxes. =A0They are SMB =
to
> enterprise boxes.
>
> It's like saying yeah that 2501 doesn't meet our customer agg requirement=
s
> at our ISP. =A0Of course it doesn't. =A0Wrong product wrong solution.
>
> With that said, from what I see in the field 10s of thousands. =A0I've se=
en as
> high as 80k.
>
> But, once you get into that many ACLs, IMO there's either an ACL or
> security/network design problem.
>
> tv
>
>
>
>
