Moving filters from edge to core
Hi all, This might be quite a stupid question. But my management is looking at moving the filters from the edge to the core, so as to reduce adminstration of apply filters on all our edge routers, and minimizing the possibility of non-synchronized filters at the edge. Does anyone has any advise on this? I believe all the there are many larger ISP in this list that have a better way to manage your filters at the edge. Would appreciate all inputs/comments. Thanks. Regards, Cheeyong
I would tend to keep the filters on the edge, for obvious reasons. Your management would probably agree with this the first time you get attacked coming from each of your edge routers with nothing to protect it from happening. You could always make a script (PERL) to go out and make the modifications to your edge routers for you. My $.02, Mike On Mon, 28 Jul 2003, Tay Chee Yong wrote:
Hi all,
This might be quite a stupid question. But my management is looking at moving the filters from the edge to the core, so as to reduce adminstration of apply filters on all our edge routers, and minimizing the possibility of non-synchronized filters at the edge.
Does anyone has any advise on this? I believe all the there are many larger ISP in this list that have a better way to manage your filters at the edge.
Would appreciate all inputs/comments.
Thanks.
Regards, Cheeyong
-- //////////////////////////////////////////////////// - Mike Lyon - - Network Admin/Engineer for hire: - - www.mikelyon.net - - Cell: 408-621-4826 - ////////////////////////////////////////////////////
--On Monday, July 28, 2003 12:16 AM -0700 Mike Lyon <mlyon@fitzharris.com> wrote:
I would tend to keep the filters on the edge, for obvious reasons. Your management would probably agree with this the first time you get attacked coming from each of your edge routers with nothing to protect it from happening.
You could always make a script (PERL) to go out and make the modifications to your edge routers for you.
Got to agree there, the core is not the place to have ACLs. You want the ACL as close to the host as possible, which pretty much means the edge router. We have a great perl script that we use that uses expect to add and remove deny hosts from our cisco routers. It uses a show route to find the interface where it needs to filter. If it is not directly connected, it fails and informs the script user. It properly removes the ACL statement from the interface, removes, modifies and readds the acl and reapplies the acl to the interface. I did not write the script, so I won't share it here. If you get a chance to go to LISA this year, you can hear the author of the script talk about even cooler ways to kill a hosts network connectivity. Peter Hill Network Engineer Carnegie Mellon University
On Mon, 28 Jul 2003, Tay Chee Yong wrote:
Hi all,
This might be quite a stupid question. But my management is looking at moving the filters from the edge to the core, so as to reduce adminstration of apply filters on all our edge routers, and minimizing the possibility of non-synchronized filters at the edge.
Does anyone has any advise on this? I believe all the there are many larger ISP in this list that have a better way to manage your filters at the edge.
Would appreciate all inputs/comments.
Thanks.
Regards, Cheeyong
Hi all, Apologise for the wrong word used. I was actually referring to border, instead of edge. Its more of the acl on our border interfaces facing transit/peering providers. regards, Cheeyong On Mon, 28 Jul 2003, Peter John Hill wrote: : --On Monday, July 28, 2003 12:16 AM -0700 Mike Lyon <mlyon@fitzharris.com> wrote: : : > : > I would tend to keep the filters on the edge, for obvious reasons. Your : > management would probably agree with this the first time you get attacked : > coming from each of your edge routers with nothing to protect it from : > happening. : > : > You could always make a script (PERL) to go out and make the modifications : > to your edge routers for you. : : Got to agree there, the core is not the place to have ACLs. You want the ACL as close to the host as possible, which pretty much means the edge : router. : : We have a great perl script that we use that uses expect to add and remove deny hosts from our cisco routers. It uses a show route to find the : interface where it needs to filter. If it is not directly connected, it fails and informs the script user. It properly removes the ACL statement from : the interface, removes, modifies and readds the acl and reapplies the acl to the interface. : : I did not write the script, so I won't share it here. If you get a chance to go to LISA this year, you can hear the author of the script talk about : even cooler ways to kill a hosts network connectivity. : : Peter Hill : Network Engineer : Carnegie Mellon University : : : : : > On Mon, 28 Jul 2003, Tay Chee Yong wrote: : >> Hi all, : >> : >> This might be quite a stupid question. But my management is looking at : >> moving the filters from the edge to the core, so as to reduce adminstration : >> of apply filters on all our edge routers, and minimizing the possibility of : >> non-synchronized filters at the edge. : >> : >> Does anyone has any advise on this? I believe all the there are many larger : >> ISP in this list that have a better way to manage your filters at the edge. : >> : >> Would appreciate all inputs/comments. : >> : >> Thanks. : >> : >> Regards, : >> Cheeyong : : :
Hi Peter, Mike and all those who replied me. Thanks very much all the replies, comments and feedback. Greatly appreciated it. Will look into it and advise my management. Regards, Cheeyong On Mon, 28 Jul 2003, Peter John Hill wrote: : --On Monday, July 28, 2003 12:16 AM -0700 Mike Lyon <mlyon@fitzharris.com> wrote: : : > : > I would tend to keep the filters on the edge, for obvious reasons. Your : > management would probably agree with this the first time you get attacked : > coming from each of your edge routers with nothing to protect it from : > happening. : > : > You could always make a script (PERL) to go out and make the modifications : > to your edge routers for you. : : Got to agree there, the core is not the place to have ACLs. You want the ACL as close to the host as possible, which pretty much means the edge : router. : : We have a great perl script that we use that uses expect to add and remove deny hosts from our cisco routers. It uses a show route to find the : interface where it needs to filter. If it is not directly connected, it fails and informs the script user. It properly removes the ACL statement from : the interface, removes, modifies and readds the acl and reapplies the acl to the interface. : : I did not write the script, so I won't share it here. If you get a chance to go to LISA this year, you can hear the author of the script talk about : even cooler ways to kill a hosts network connectivity. : : Peter Hill : Network Engineer : Carnegie Mellon University : : : : : > On Mon, 28 Jul 2003, Tay Chee Yong wrote: : >> Hi all, : >> : >> This might be quite a stupid question. But my management is looking at : >> moving the filters from the edge to the core, so as to reduce adminstration : >> of apply filters on all our edge routers, and minimizing the possibility of : >> non-synchronized filters at the edge. : >> : >> Does anyone has any advise on this? I believe all the there are many larger : >> ISP in this list that have a better way to manage your filters at the edge. : >> : >> Would appreciate all inputs/comments. : >> : >> Thanks. : >> : >> Regards, : >> Cheeyong : : :
participants (3)
-
Mike Lyon -
Peter John Hill -
Tay Chee Yong