Re: Not a good idea and it won't

Mehdi Talei · ‎08-01-2014

I'd like to use the name in ACL instead of IP address in a Cisco Router! Is it possible? If so, how?

I've already configured the name server and am able to resolve the names in router.

Thanks,

Mehdi

Leo Laohoo · ‎08-01-2014

Not a good idea and it won't happen. This is because if you use named hosts the router will have to take an EXTRA step to resolve the hostnames to IP addresses. And an extra step means CPU costs. And you don't want un-necessary extra costs to your CPU.

Mehdi Talei · ‎08-02-2014

But technologically speaking, is it possible to have an ACL in a "router" using names instead of IP (or regexp)?

Leo Laohoo · ‎08-03-2014

But technologically speaking, is it possible to have an ACL in a "router" using names instead of IP

I am not a firewall guy but I've seen some good people drive firewalls like a dune buggy in a golf course.

You can assign IP addresses an Alias in firewalls. And you can, optionally, assign the alias into a container or group.

But you still need to understand how a router and firewall treat IP addresses and alias. Firewalls, for instance, don't "understand" an alias. What they do is if they see an Alias, they look it up, like what you do when you try to bring up a person's name in your smartphone's contact app. So when you look up the person's contact details, you spend extra few seconds to:

Bring up the app;
Look for the person;
Decide which contact details to contact; and
Initiate the call.

Same with routers. It is "possible" (I've never seen one) but it costs CPU overhead. And no smart network admin wants to put additional burden on CPU.

gnijs · ‎07-29-2020

This is a really dumb reason. There are many other platforms that support this without consuming many CPUs.

It is actually rather easy to implement: once a day, you DNS resolve the name to IP and then you program the IP into the TCAM. If the IPs haven't changed, you don't need to reprogram anything.

And a simple DNS request per day, isn't going to skyrocket your CPU....

Even more advanced: every DNS record has a lifetime. You can let the router poll right after the lifetime has expired to automatically get changes. And for security, you put a maximum frequency on the number of refreshes and done...

Joseph W. Doherty · ‎08-04-2014

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Don't recall where all it applies, but occasionally you can use DNS resolved names rather than IPs for some configuration statements. However, when done, configuration does a one time look up and converts DNS name to IP. Most likely reason this is done is for the reason Leo notes, you don't want to need to re-resolve a DNS name every time a particular ACE is executed. I.e. it's technically possible, but could create a (really big time) performance issue. Or, consider, normal hosts have a DNS cache, so what should a router's default should be for ACLs? What do you do with packets while you wait for (initial) DNS resolution (i.e. queue or drop)? Should router also do background DNS refreshes before DNS cache totally times out?

I only mention the above, because such a simple logical request can have an interesting impact.

Mehdi Talei · ‎08-08-2014

Thanks Leo and Joseph for tour feedback.

I definitely understand your point and as a matter of fact I found a workaround to fix the issue that I had.

However, for my information, how do you configure a name in an ACL? I don't see any option for that! I can create and use object group, but that's not what I need!