04-14-2010 01:27 PM
We have a VPN mesh configured between sites where everything is routed through the main site.
Our ACL lists are getting massive and I'm curious if it would be possible to simplify them as such:
Current ACL:
ip access-list extended ENCRYPT-ACL
permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.200.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.200.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 10.255.255.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.40.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.4.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.40.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.50.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.50.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.60.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.60.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.7.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.70.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.7.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.70.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.8.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.80.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.8.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.80.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.9.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.90.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.9.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.90.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.110.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 192.168.30.0 0.0.0.255
permit ip 192.168.110.0 0.0.0.255 192.168.30.0 0.0.0.255
Could I simplify this by adding an ACL such as this:
permit ip 192.168.0.0 0.0.255.255 192.168.3.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255.192.168.30.0 0.0.0.255
Also in the NO-NAT could the same principle apply? as you can imagine the NO-NAT for this takes up a couple pages printed out.
Thanks!
04-14-2010 01:29 PM
Hi,
To avoid any overlapping, it would be better to create an object-group with the 192.168.3.0 and 192.168.30.0 and then you can reference your ACL to the object-group.
This will greatly reduce the ACL.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide