Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using name in Access list in Cisco "ROUTER"

I'd like to use the name in ACL instead of IP address in a Cisco Router! Is it possible? If so, how?

I've already configured the name server and am able to resolve the names in router.

 

Thanks,

Mehdi

Everyone's tags (2)
6 REPLIES
Hall of Fame Super Gold

Not a good idea and it won't

Not a good idea and it won't happen.  This is because if you use named hosts the router will have to take an EXTRA step to resolve the hostnames to IP addresses.  And an extra step means CPU costs.  And you don't want un-necessary extra costs to your CPU.

New Member

But technologically speaking,

But technologically speaking, is it possible to have an ACL in a "router" using names instead of IP (or regexp)?

Hall of Fame Super Gold

But technologically speaking,

But technologically speaking, is it possible to have an ACL in a "router" using names instead of IP

I am not a firewall guy but I've seen some good people drive firewalls like a dune buggy in a golf course.  

 

You can assign IP addresses an Alias in firewalls.  And you can, optionally, assign the alias into a container or group.  

 

But you still need to understand how a router and firewall treat IP addresses and alias.  Firewalls, for instance, don't "understand" an alias.  What they do is if they see an Alias, they look it up, like what you do when you try to bring up a person's name in your smartphone's contact app.  So when you look up the person's contact details, you spend extra few seconds to:  

  1. Bring up the app;
  2. Look for the person; 
  3. Decide which contact details to contact; and 
  4. Initiate the call. 

 

Same with routers.  It is "possible" (I've never seen one) but it costs CPU overhead.  And no smart network admin wants to put additional burden on CPU. 

Super Bronze

DisclaimerThe Author of this

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Don't recall where all it applies, but occasionally you can use DNS resolved names rather than IPs for some configuration statements.  However, when done, configuration does a one time look up and converts DNS name to IP.  Most likely reason this is done is for the reason Leo notes, you don't want to need to re-resolve a DNS name every time a particular ACE is executed.  I.e. it's technically possible, but could create a (really big time) performance issue.  Or, consider, normal hosts have a DNS cache, so what should a router's default should be for ACLs?  What do you do with packets while you wait for (initial) DNS resolution (i.e. queue or drop)?  Should router also do background DNS refreshes before DNS cache totally times out?

I only mention the above, because such a simple logical request can have an interesting impact.

New Member

Thanks Leo and Joseph for

Thanks Leo and Joseph for tour feedback.

I definitely understand your point and as a matter of fact I found a workaround to fix the issue that I had.

However, for my information, how do you configure a name in an ACL? I don't see any option for that! I can create and use object group, but that's not what I need!

Thanks,

Mehdi

Super Bronze

DisclaimerThe Author of this

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

As noted, you can use host names in some places in a Cisco config, and they will resolve once when you place in config.  Don't recall what statements support that; very likely ACLs do not.

251
Views
0
Helpful
6
Replies
CreatePlease login to create content