Hi all, Apologise for the wrong word used. I was actually referring to border, instead of edge. Its more of the acl on our border interfaces facing transit/peering providers. regards, Cheeyong On Mon, 28 Jul 2003, Peter John Hill wrote: : --On Monday, July 28, 2003 12:16 AM -0700 Mike Lyon <mlyon@fitzharris.com> wrote: : : > : > I would tend to keep the filters on the edge, for obvious reasons. Your : > management would probably agree with this the first time you get attacked : > coming from each of your edge routers with nothing to protect it from : > happening. : > : > You could always make a script (PERL) to go out and make the modifications : > to your edge routers for you. : : Got to agree there, the core is not the place to have ACLs. You want the ACL as close to the host as possible, which pretty much means the edge : router. : : We have a great perl script that we use that uses expect to add and remove deny hosts from our cisco routers. It uses a show route to find the : interface where it needs to filter. If it is not directly connected, it fails and informs the script user. It properly removes the ACL statement from : the interface, removes, modifies and readds the acl and reapplies the acl to the interface. : : I did not write the script, so I won't share it here. If you get a chance to go to LISA this year, you can hear the author of the script talk about : even cooler ways to kill a hosts network connectivity. : : Peter Hill : Network Engineer : Carnegie Mellon University : : : : : > On Mon, 28 Jul 2003, Tay Chee Yong wrote: : >> Hi all, : >> : >> This might be quite a stupid question. But my management is looking at : >> moving the filters from the edge to the core, so as to reduce adminstration : >> of apply filters on all our edge routers, and minimizing the possibility of : >> non-synchronized filters at the edge. : >> : >> Does anyone has any advise on this? I believe all the there are many larger : >> ISP in this list that have a better way to manage your filters at the edge. : >> : >> Would appreciate all inputs/comments. : >> : >> Thanks. : >> : >> Regards, : >> Cheeyong : : :