08-01-2014 09:58 AM - edited 03-03-2019 07:33 AM
I'd like to use the name in ACL instead of IP address in a Cisco Router! Is it possible? If so, how?
I've already configured the name server and am able to resolve the names in router.
Thanks,
Mehdi
08-01-2014 05:45 PM
Not a good idea and it won't happen. This is because if you use named hosts the router will have to take an EXTRA step to resolve the hostnames to IP addresses. And an extra step means CPU costs. And you don't want un-necessary extra costs to your CPU.
08-02-2014 11:48 AM
But technologically speaking, is it possible to have an ACL in a "router" using names instead of IP (or regexp)?
08-03-2014 03:51 PM
But technologically speaking, is it possible to have an ACL in a "router" using names instead of IP
I am not a firewall guy but I've seen some good people drive firewalls like a dune buggy in a golf course.
You can assign IP addresses an Alias in firewalls. And you can, optionally, assign the alias into a container or group.
But you still need to understand how a router and firewall treat IP addresses and alias. Firewalls, for instance, don't "understand" an alias. What they do is if they see an Alias, they look it up, like what you do when you try to bring up a person's name in your smartphone's contact app. So when you look up the person's contact details, you spend extra few seconds to:
Same with routers. It is "possible" (I've never seen one) but it costs CPU overhead. And no smart network admin wants to put additional burden on CPU.
07-29-2020 07:50 AM - edited 07-29-2020 07:51 AM
This is a really dumb reason. There are many other platforms that support this without consuming many CPUs.
It is actually rather easy to implement: once a day, you DNS resolve the name to IP and then you program the IP into the TCAM. If the IPs haven't changed, you don't need to reprogram anything.
And a simple DNS request per day, isn't going to skyrocket your CPU....
Even more advanced: every DNS record has a lifetime. You can let the router poll right after the lifetime has expired to automatically get changes. And for security, you put a maximum frequency on the number of refreshes and done...
08-04-2014 09:53 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Don't recall where all it applies, but occasionally you can use DNS resolved names rather than IPs for some configuration statements. However, when done, configuration does a one time look up and converts DNS name to IP. Most likely reason this is done is for the reason Leo notes, you don't want to need to re-resolve a DNS name every time a particular ACE is executed. I.e. it's technically possible, but could create a (really big time) performance issue. Or, consider, normal hosts have a DNS cache, so what should a router's default should be for ACLs? What do you do with packets while you wait for (initial) DNS resolution (i.e. queue or drop)? Should router also do background DNS refreshes before DNS cache totally times out?
I only mention the above, because such a simple logical request can have an interesting impact.
08-08-2014 09:24 AM
Thanks Leo and Joseph for tour feedback.
I definitely understand your point and as a matter of fact I found a workaround to fix the issue that I had.
However, for my information, how do you configure a name in an ACL? I don't see any option for that! I can create and use object group, but that's not what I need!
Thanks,
Mehdi
08-09-2014 03:30 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
As noted, you can use host names in some places in a Cisco config, and they will resolve once when you place in config. Don't recall what statements support that; very likely ACLs do not.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide