Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Access list issue in isp enviroment

presently i m working in ISP and eventually i felt that access list is too heavy and also our system engineer give me suggestion to light weight the access list. in our access list by default all users are allowed all and few ports are closed. what is the other way that can light weight the acces list.please tell me the suggestion what consideration should be kept into mind before i light weight ACL .In ISP different users use diffrent applications and thus they use almost all ports.so how should i implement access list in this situation.

3 REPLIES
VIP Purple

Re: Access list issue in isp enviroment

Hello,

is it possible to post the access list ? If that is a problem, you could blank out all IP addresses and confidential information...

Keep in mind the following rules and best practices when it comes to access lists:

- the access list is always checked top down, that is, when a match is found, no further checks are done. That means that you should put frequently used access list statements at the top of your access list

- the shorter the access list, the better for the performance and throughput. Try to summarize statements as much as possible

As said before, it would be best if you could post the access list you need to modify.

Regards,

GP

New Member

Re: Access list issue in isp enviroment

i ll post it after few moment, thanx for suggestion.

thanx GP

New Member

Re: Access list issue in isp enviroment

access-list 1 permit src_IP

access-list 2 permit src_IP

access-list 2 permit src_IP

access-list 3 permit any

access-list 101 permit ip host src_IP any

access-list 101 permit ip any host host_IP

access-list 101 deny icmp any any redirect

access-list 101 deny tcp host host_IP any eq 443

access-list 101 deny icmp host host_IP any

access-list 101 deny tcp any dst_IP eq finger

access-list 101 deny tcp any dst_IP eq nntp

access-list 101 deny tcp src_IP eq uucp

access-list 101 deny tcp src_IP login

access-list 101 deny tcp any dst_IP eq whois

access-list 101 deny tcp any dst_IP eq 42

access-list 101 deny tcp any dst_IP eq 445

access-list 101 deny tcp any dst_IP eq 135

access-list 101 deny tcp any dst_IP eq 137

access-list 101 deny tcp any dst_IP eq 138

access-list 101 deny tcp any dst_IP eq 139

access-list 101 deny tcp any dst_IP eq 1434

access-list 101 deny tcp src_IP any eq 445

access-list 101 deny tcp src_IP any eq 135

access-list 101 deny tcp src_IP any eq 137

access-list 101 deny tcp src_IP any eq 138

access-list 101 deny tcp src_IP any eq 139

access-list 101 deny tcp src_IP any eq 1434

access-list 101 deny udp any dst_IP eq 445

access-list 101 deny udp any dst_IP eq 135

access-list 101 deny udp any dst_IP eq netbios-ns

access-list 101 deny udp any dst_IP eq netbios-dgm

access-list 101 deny udp any dst_IP eq netbios-ss

access-list 101 deny udp any dst_IP eq 1434

access-list 101 deny udp src_IP any eq 445

access-list 101 deny udp src_IP any eq 135

access-list 101 deny udp src_IP any eq netbios-ns

access-list 101 deny udp src_IP any eq netbios-dgm

access-list 101 deny udp src_IP any eq netbios-ss

access-list 101 deny udp src_IP any eq 1434

access-list 101 deny tcp any dst_IP eq 4444

access-list 101 deny tcp any dst_IP eq finger

access-list 101 deny tcp any dst_IP eq nntp

access-list 101 deny tcp any dst_IP eq uucp

access-list 101 deny tcp any dst_IP eq login

access-list 101 deny tcp any dst_IP eq whois

access-list 101 deny tcp any dst_IP eq 42

access-list 101 deny tcp any dst_IP eq 445

access-list 101 deny tcp any dst_IP eq 135

access-list 101 deny tcp any dst_IP eq 137

access-list 101 deny tcp any dst_IP eq 138

access-list 101 deny tcp any dst_IP eq 139

access-list 101 deny tcp any dst_IP eq 1434

access-list 101 deny tcp src_IP any eq 445

access-list 101 deny tcp src_IP any eq 135

access-list 101 deny tcp src_IP any eq 137

access-list 101 deny tcp src_IP any eq 138

access-list 101 deny tcp src_IP any eq 139

access-list 101 deny tcp src_IP any eq 1434

access-list 101 deny udp any dst_IP eq 445

access-list 101 deny udp any dst_IP eq 135

access-list 101 deny udp any dst_IP eq netbios-ns

access-list 101 deny udp any dst_IP eq netbios-dgm

access-list 101 deny udp any dst_IP eq netbios-ss

access-list 101 deny udp any dst_IP eq 1434

access-list 101 deny udp src_IP any eq 445

access-list 101 deny udp src_IP any eq 135

access-list 101 deny udp src_IP any eq netbios-ns

access-list 101 deny udp src_IP any eq netbios-dgm

access-list 101 deny udp src_IP any eq netbios-ss

access-list 101 deny udp src_IP any eq 1434

access-list 101 deny tcp any dst_IP 0.0.255.255 eq 4444

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip src_IP any

access-list 101 deny ip src_IP any

access-list 101 deny ip src_IP any

access-list 101 deny ip src_IP any

access-list 101 permit ip any any

access-list 102 deny ip src_IP any

access-list 102 deny ip src_IP any

access-list 102 permit ip any any

access-list 103 deny icmp any host host_IP

access-list 103 deny ip any host host_IP

access-list 109 deny ip any host host_IP

priority-list 1 protocol ip high tcp 1720

priority-list 1 protocol ip high tcp 1503

priority-list 1 protocol ip normal udp domain

priority-list 1 protocol ip normal tcp www

148
Views
0
Helpful
3
Replies
CreatePlease to create content