[164225] in North American Network Operators' Group
Re: Egress filters dropping traffic
daemon@ATHENA.MIT.EDU (Saku Ytti)
Mon Jul 1 03:25:12 2013
Date: Mon, 1 Jul 2013 10:24:40 +0300
From: Saku Ytti <saku@ytti.fi>
To: nanog@nanog.org
In-Reply-To: <CAPLq3UNbRFBj=ay5KUbUoFQgk7LJU=-oEq7+woiw-rH-XiVu+g@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On (2013-06-30 22:04 +0530), Glen Kent wrote:
> Under what scenarios do providers install egress ACLs which could say for
> eg.
>
> 1. Allow all IP traffic out on an interface foo if its coming from source
> IP x.x.x.x/y
> 2. Drop all other IP traffic out on this interface.
Question seems to be 'when do you need to drop packets', I'm sure 10
different people would give 10 different use-cases.
One use-case for this particular ACL is that the interface is used for MGMT
only, so you allow NMS network and drop everything else.
--
++ytti
