Moving filters from edge to core

Tay Chee Yong tcy at pacific.net.sg
Mon Jul 28 16:24:51 UTC 2003 

Hi all,

Apologise for the wrong word used. I was actually referring to border,
instead of edge. Its more of the acl on our border interfaces facing
transit/peering providers.

regards,
Cheeyong

On Mon, 28 Jul 2003, Peter John Hill wrote:

: --On Monday, July 28, 2003 12:16 AM -0700 Mike Lyon <mlyon at fitzharris.com> wrote:
:
: >
: > I would tend to keep the filters on the edge, for obvious reasons. Your
: > management would probably agree with this the first time you get attacked
: > coming from each of your edge routers with nothing to protect it from
: > happening.
: >
: > You could always make a script (PERL) to go out and make the modifications
: > to your edge routers for you.
:
: Got to agree there, the core is not the place to have ACLs. You want the ACL as close to the host as possible, which pretty much means the edge
: router.
:
: We have a great perl script that we use that uses expect to add and remove deny hosts from our cisco routers. It uses a show route to find the
: interface where it needs to filter. If it is not directly connected, it fails and informs the script user. It properly removes the ACL statement from
: the interface, removes, modifies and readds the acl and reapplies the acl to the interface.
:
: I did not write the script, so I won't share it here. If you get a chance to go to LISA this year, you can hear the author of the script talk about
: even cooler ways to kill a hosts network connectivity.
:
: Peter Hill
: Network Engineer
: Carnegie Mellon University
:
:
:
:
: > On Mon, 28 Jul 2003, Tay Chee Yong wrote:
: >> Hi all,
: >>
: >> This might be quite a stupid question. But my management is looking at
: >> moving the filters from the edge to the core, so as to reduce adminstration
: >> of apply filters on all our edge routers, and minimizing the possibility of
: >> non-synchronized filters at the edge.
: >>
: >> Does anyone has any advise on this? I believe all the there are many larger
: >> ISP in this list that have a better way to manage your filters at the edge.
: >>
: >> Would appreciate all inputs/comments.
: >>
: >> Thanks.
: >>
: >> Regards,
: >> Cheeyong
:
:
:

More information about the NANOG mailing list