This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ACL best practices (one file with multiple entry or many files with single entry)

ACL best practices (one file with multiple entry or many files with single entry)

eyeV
New Contributor III

‎05-21-2014 05:46 AM

Hi everybody.
I want to add two access profiles to VLAN. For example

First
entry block-in-abonvlan {
if match any {
ethernet-type 0x8863;
ethernet-type 0x8864;
}
then {
permit;
}
}

entry deny (
if {
}
then {
deny;
}
}

Second
entry BCAST {
if {
ethernet-destination-address ff:ff:ff:ff:ff:ff;
}
then {
count broadcast;
}
}

entry ACTION {
if {
count broadcast > 10000;
period 10 ;
}
then {
syslog "It's probably a broadcast storm... Rule $ruleName $ruleValue exceeds limit $ruleThreshold" WARN 120;
}
}

What is the best way to do this?
  • Two .pol files and two conf access-list command.
  • Join this .pol files to one file.

0 Kudos
6 REPLIES 6

eyeV
New Contributor III

‎05-21-2014 06:38 AM

Thank you!
0 Kudos

Sumit_Tokle
Contributor

‎05-21-2014 06:38 AM

Create one single policy and add all three rule in it.

These matching condition will be kept in different hardware slices even though you would create single policy file or multiple files.
0 Kudos
GTM-P2G8KFN