menu

Stubby Post - Time-based ACLs and Policy-maps

2010-04-28
#acl  #class  #map  #policy  #qos  #service  #time 

Certain divisions of the company tend to shoot themselves in the foot by kicking off large file transfers during business hours, so I had a thought that maybe we could use time-based ACLs to do some QoSing for those guys. I fired up GNS3 with a 3600 running 12.4(25b) with some virtual PCs on it’s Ethernet interfaces.

time-range BUSINESSHOURS
 periodic daily 8:00 to 17:00
!
ip access-list extended PINGS
 permit icmp any any time-range BUSINESSHOURS
!
class-map match-all PINGS
 match access-group name PINGS
!
policy-map PM-F0/0-OUT
 class PINGS

First, I set the router’s time to outside of the time range and sent some pings over.

A Quick Intro to Google’s Capirca

2010-04-11
#acl  #automation  #capirca  #cisco  #google  #linux  #python 

Yeled left a comment earlier this week asking if I’d seen Google’s Capirca.  I’d heard of it and checked out some presentation slides on it, but I’d never actually tried it out, so, in keeping with the script, I downloaded it to see what it could do.  Remember, now, that I’ve been playing with it for about 2 hours now, so I’m no expert on its use.

Capirca is a Python-based solution that Google came up with to automate ACL creation on their many thousands of routers around the world.  You can’t blame them for wanting to automate it, either.  How many times do you think they ran into problems with typos or keying errors from their network guys across those devices?

Object Groups in the ASA/FWSM/PIX

2009-10-01
#acl  #asa  #fwsm  #group  #object  #object-group  #pix 

I can’t believe I haven’t talked about object-groups yet.  I had a whole other blog entry written up, and, when I went to link things over, I realized I couldn’t find an intro to it.  Here it goes.

Welcome to the modern world.  A world of wonder.  A world of quickly-advancing technology.  A world where clusters of machines sit behind load balancers for scalability and availability.  A world where those clusters need access to other clusters.  A world where your firewall rulebase gets so big that it’s unreadable without some help.

NAT on a PIX/ASA

2008-03-13
#acl  #asa  #firewall  #nat  #pix 

NATting sucks and can be confusing. I’m sure everyone agrees to that, but you have to use it at some times. In a PIX/ASA, it’s easy to configure a simple setup, but can be super-complicated in larger networks. In a simple lab, we have set up an ASA with inside and outside interfaces, with the inside as your internal and outside as the Internet.

The NAT setup here is easy.