ACL best practices (one file with multiple entry or many files with single entry)

  • 0
  • 1
  • Question
  • Updated 4 years ago
  • (Edited)
Hi everybody.
I want to add two access profiles to VLAN. For example

First
entry block-in-abonvlan {
if match any {
ethernet-type 0x8863;
ethernet-type 0x8864;
}
then {
permit;
}
}

entry deny (
if {
}
then {
deny;
}
}

Second
entry BCAST {
if {
ethernet-destination-address ff:ff:ff:ff:ff:ff;
}
then {
count broadcast;
}
}

entry ACTION {
if {
count broadcast > 10000;
period 10 ;
}
then {
syslog "It's probably a broadcast storm... Rule $ruleName $ruleValue exceeds limit $ruleThreshold" WARN 120;
}
}

What is the best way to do this?
  • Two .pol files and two conf access-list command.
  • Join this .pol files to one file.



Photo of eyeV

eyeV

  • 2,484 Points 2k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of Sumit Tokle

Sumit Tokle, Alum

  • 5,738 Points 5k badge 2x thumb
Create one single policy and add all three rule in it.

These matching condition will be kept in different hardware slices even though you would create single policy file or multiple files.
Photo of eyeV

eyeV

  • 2,484 Points 2k badge 2x thumb
Thank you!
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Hey eyeV I agree with Sumit having one policy is always best because the order of the entries will determine how they are executed.  If you have two policies it gets tricky to determine which policy to run first.

Hope that helps.
P
Photo of eyeV

eyeV

  • 2,484 Points 2k badge 2x thumb
If you have two policies it gets tricky to determine which policy to run first.
By the way, how can I determine this order?
Photo of Sumit Tokle

Sumit Tokle, Alum

  • 5,738 Points 5k badge 2x thumb
Please read the section "ACL Evaluation Precedence" under the ACL chapter in EXOS 15.4 concept guide, page # 701.
Photo of eyeV

eyeV

  • 2,484 Points 2k badge 2x thumb
Thanks.