Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
500
Views
0
Helpful
3
Replies

Access list issue in isp enviroment

m_aurangzeb
Level 1
Level 1

‎11-07-2005 12:07 AM - edited ‎03-03-2019 10:54 AM

presently i m working in ISP and eventually i felt that access list is too heavy and also our system engineer give me suggestion to light weight the access list. in our access list by default all users are allowed all and few ports are closed. what is the other way that can light weight the acces list.please tell me the suggestion what consideration should be kept into mind before i light weight ACL .In ISP different users use diffrent applications and thus they use almost all ports.so how should i implement access list in this situation.

Labels:
0 Helpful
3 Replies 3

Georg Pauwen
VIP
VIP

‎11-07-2005 12:33 AM

Hello,

is it possible to post the access list ? If that is a problem, you could blank out all IP addresses and confidential information...

Keep in mind the following rules and best practices when it comes to access lists:

- the access list is always checked top down, that is, when a match is found, no further checks are done. That means that you should put frequently used access list statements at the top of your access list

- the shorter the access list, the better for the performance and throughput. Try to summarize statements as much as possible

As said before, it would be best if you could post the access list you need to modify.

Regards,

GP

0 Helpful

m_aurangzeb
Level 1
Level 1
In response to Georg Pauwen

‎11-07-2005 01:16 AM

i ll post it after few moment, thanx for suggestion.

thanx GP

0 Helpful

m_aurangzeb
Level 1
Level 1
In response to m_aurangzeb

‎11-07-2005 09:55 PM

access-list 1 permit src_IP

access-list 2 permit src_IP

access-list 2 permit src_IP

access-list 3 permit any

access-list 101 permit ip host src_IP any

access-list 101 permit ip any host host_IP

access-list 101 deny icmp any any redirect

access-list 101 deny tcp host host_IP any eq 443

access-list 101 deny icmp host host_IP any

access-list 101 deny tcp any dst_IP eq finger

access-list 101 deny tcp any dst_IP eq nntp

access-list 101 deny tcp src_IP eq uucp

access-list 101 deny tcp src_IP login

access-list 101 deny tcp any dst_IP eq whois

access-list 101 deny tcp any dst_IP eq 42

access-list 101 deny tcp any dst_IP eq 445

access-list 101 deny tcp any dst_IP eq 135

access-list 101 deny tcp any dst_IP eq 137

access-list 101 deny tcp any dst_IP eq 138

access-list 101 deny tcp any dst_IP eq 139

access-list 101 deny tcp any dst_IP eq 1434

access-list 101 deny tcp src_IP any eq 445

access-list 101 deny tcp src_IP any eq 135

access-list 101 deny tcp src_IP any eq 137

access-list 101 deny tcp src_IP any eq 138

access-list 101 deny tcp src_IP any eq 139

access-list 101 deny tcp src_IP any eq 1434

access-list 101 deny udp any dst_IP eq 445

access-list 101 deny udp any dst_IP eq 135

access-list 101 deny udp any dst_IP eq netbios-ns

access-list 101 deny udp any dst_IP eq netbios-dgm

access-list 101 deny udp any dst_IP eq netbios-ss

access-list 101 deny udp any dst_IP eq 1434

access-list 101 deny udp src_IP any eq 445

access-list 101 deny udp src_IP any eq 135

access-list 101 deny udp src_IP any eq netbios-ns

access-list 101 deny udp src_IP any eq netbios-dgm

access-list 101 deny udp src_IP any eq netbios-ss

access-list 101 deny udp src_IP any eq 1434

access-list 101 deny tcp any dst_IP eq 4444

access-list 101 deny tcp any dst_IP eq finger

access-list 101 deny tcp any dst_IP eq nntp

access-list 101 deny tcp any dst_IP eq uucp

access-list 101 deny tcp any dst_IP eq login

access-list 101 deny tcp any dst_IP eq whois

access-list 101 deny tcp any dst_IP eq 42

access-list 101 deny tcp any dst_IP eq 445

access-list 101 deny tcp any dst_IP eq 135

access-list 101 deny tcp any dst_IP eq 137

access-list 101 deny tcp any dst_IP eq 138

access-list 101 deny tcp any dst_IP eq 139

access-list 101 deny tcp any dst_IP eq 1434

access-list 101 deny tcp src_IP any eq 445

access-list 101 deny tcp src_IP any eq 135

access-list 101 deny tcp src_IP any eq 137

access-list 101 deny tcp src_IP any eq 138

access-list 101 deny tcp src_IP any eq 139

access-list 101 deny tcp src_IP any eq 1434

access-list 101 deny udp any dst_IP eq 445

access-list 101 deny udp any dst_IP eq 135

access-list 101 deny udp any dst_IP eq netbios-ns

access-list 101 deny udp any dst_IP eq netbios-dgm

access-list 101 deny udp any dst_IP eq netbios-ss

access-list 101 deny udp any dst_IP eq 1434

access-list 101 deny udp src_IP any eq 445

access-list 101 deny udp src_IP any eq 135

access-list 101 deny udp src_IP any eq netbios-ns

access-list 101 deny udp src_IP any eq netbios-dgm

access-list 101 deny udp src_IP any eq netbios-ss

access-list 101 deny udp src_IP any eq 1434

access-list 101 deny tcp any dst_IP 0.0.255.255 eq 4444

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip src_IP any

access-list 101 deny ip src_IP any

access-list 101 deny ip src_IP any

access-list 101 deny ip src_IP any

access-list 101 permit ip any any

access-list 102 deny ip src_IP any

access-list 102 deny ip src_IP any

access-list 102 permit ip any any

access-list 103 deny icmp any host host_IP

access-list 103 deny ip any host host_IP

access-list 109 deny ip any host host_IP

priority-list 1 protocol ip high tcp 1720

priority-list 1 protocol ip high tcp 1503

priority-list 1 protocol ip normal udp domain

priority-list 1 protocol ip normal tcp www

0 Helpful
Customers Also Viewed These Support Documents