https://a996c8ee.aww-3cz.pages.dev/tags/acl/ Recent content in Acl on Aaron's Worthless Words Hugo en Wed, 28 Apr 2010 00:00:00 +0000 https://a996c8ee.aww-3cz.pages.dev/posts/2010/04/stubby-post-time-based-acls-and-policy-maps/ Wed, 28 Apr 2010 00:00:00 +0000 https://a996c8ee.aww-3cz.pages.dev/posts/2010/04/stubby-post-time-based-acls-and-policy-maps/ <p>Certain divisions of the company tend to shoot themselves in the foot by kicking off large file transfers during business hours, so I had a thought that maybe we could use time-based ACLs to do some QoSing for those guys. I fired up GNS3 with a 3600 running 12.4(25b) with some virtual PCs on it&rsquo;s Ethernet interfaces.</p> <blockquote> <div class="highlight"><pre tabindex="0" class="chroma"><code data-lang="fallback"><span class="line"><span class="cl">time-range BUSINESSHOURS </span></span><span class="line"><span class="cl"> periodic daily 8:00 to 17:00 </span></span><span class="line"><span class="cl">! </span></span><span class="line"><span class="cl">ip access-list extended PINGS </span></span><span class="line"><span class="cl"> permit icmp any any time-range BUSINESSHOURS </span></span><span class="line"><span class="cl">! </span></span><span class="line"><span class="cl">class-map match-all PINGS </span></span><span class="line"><span class="cl"> match access-group name PINGS </span></span><span class="line"><span class="cl">! </span></span><span class="line"><span class="cl">policy-map PM-F0/0-OUT </span></span><span class="line"><span class="cl"> class PINGS</span></span></code></pre></div></blockquote> <p>First, I set the router&rsquo;s time to outside of the time range and sent some pings over.</p> https://a996c8ee.aww-3cz.pages.dev/posts/2010/04/a-quick-intro-to-googles-capirca/ Sun, 11 Apr 2010 00:00:00 +0000 https://a996c8ee.aww-3cz.pages.dev/posts/2010/04/a-quick-intro-to-googles-capirca/ <p>Yeled left a comment earlier this week asking if I&rsquo;d seen <a href="http://code.google.com/p/capirca/">Google&rsquo;s Capirca</a>.  I&rsquo;d heard of it and checked out some presentation slides on it, but I&rsquo;d never actually tried it out, so, in keeping with the script, I downloaded it to see what it could do.  Remember, now, that I&rsquo;ve been playing with it for about 2 hours now, so I&rsquo;m no expert on its use.</p> <p>Capirca is a Python-based solution that Google came up with to automate ACL creation on their many thousands of routers around the world.  You can&rsquo;t blame them for wanting to automate it, either.  How many times do you think they ran into problems with typos or keying errors from their network guys across those devices?</p> https://a996c8ee.aww-3cz.pages.dev/posts/2009/10/object-groups-in-the-asafwsmpix/ Thu, 01 Oct 2009 00:00:00 +0000 https://a996c8ee.aww-3cz.pages.dev/posts/2009/10/object-groups-in-the-asafwsmpix/ <p>I can&rsquo;t believe I haven&rsquo;t talked about <em>object-groups</em> yet.  I had a whole other blog entry written up, and, when I went to link things over, I realized I couldn&rsquo;t find an intro to it.  Here it goes.</p> <p>Welcome to the modern world.  A world of wonder.  A world of quickly-advancing technology.  A world where clusters of machines sit behind load balancers for scalability and availability.  A world where those clusters need access to other clusters.  A world where your firewall rulebase gets so big that it&rsquo;s unreadable without some help.</p> https://a996c8ee.aww-3cz.pages.dev/posts/2008/03/nat-on-a-pixasa/ Thu, 13 Mar 2008 00:00:00 +0000 https://a996c8ee.aww-3cz.pages.dev/posts/2008/03/nat-on-a-pixasa/ <p>NATting sucks and can be confusing. I&rsquo;m sure everyone agrees to that, but you have to use it at some times. In a PIX/ASA, it&rsquo;s easy to configure a simple setup, but can be super-complicated in larger networks. In a simple lab, we have set up an ASA with inside and outside interfaces, with the inside as your internal and outside as the Internet.</p> <p>The NAT setup here is easy.</p>