| Author |
Access-list versus static routes
|
|
| dagreer 2001-05-16, 9:25 am |
| Slightly off-topic, but I couldn't think of a better group of Cisco experts to ask.
We have a connection to a "sister" company over a frame-relay connection.
I static-route their whole address space over to them, but have a small five line access-list to allow only certain subnets back to our network.
My counterpart, only static-routes the networks that we need over to us.
On a question of scalability, which is the better path? Currently we are both getting the job done. Note that both companies are $Billion dollar companies and we are using 7206's to terminate the frame at both ends. | |
| dmaftei 2001-05-16, 6:24 pm |
| Not sure I understand your question. Static routes and access lists serve different purposes.
Cheers! | |
| dagreer 2001-05-16, 9:43 pm |
| dmaftei,
Normally, you are of course correct. In this situation we are both limiting which subnets from the other network can gain access to our network.
I static route 172.16.0.0 out the T-1 to him, but with an access-list only allow certain subnets to come into my network.
He static routes only a handful of my 10.x.0.0 networks out the T-1 thus allowing only those subnets to access anything on his network. He doesn't use any access-list supposedly.
Both of us are under management direction to limit who has access to network resources. As you can tell it is a bit of a rocky relationship and the proverbial "shields" are up on both sides... | |
| dougla2 2001-05-16, 10:02 pm |
| Which is a better method for securing your network resources, an ACL or simply static routes to the OK stuff? I would guess that since your networks apparently don't change much, static routing makes sense. But from a security standpoint, you should employ ACLs. I would guess that your NOS has shares/passwords guarding resources as well. I feel like routing and Access Lists are apples and oranges, but would like to hear from the voice of experience on this topic. Good question. | |
|
| I think I would prefer access-lists. That way you can more easily migrate to dynamic routing later on if you need to. Access lists also give you more flexibility and granularity if you need it. If someone else has to maintain these routers later on, (s)he will understand that access lists are used for security but it may not be so obvious that (the lack of) static routes is used for that purpose. Documentation may help in this case.
The advantage of using routes rather than access lists is speed.
Terje | |
| Yankee 2001-05-18, 5:55 am |
| If you are only using access lists how does their side know about your networks? There has to be more to this question....
Yankee | |
| dagreer 2001-05-18, 6:42 am |
| Terje, Yankee,
Thank you for your consideration.
Yankee, I static route the whole 172.16.x.y address space over to them, and use an ACL to limit only certain of their sites into my network.
My counterpart uses only static routes to the networks on "my" network. This causes any packets from a "unwanted" network to simply time out after they hit his side of the T-1.
I like the ACL idea because if someone tries to do a traceroute from his network to mine from a "unwanted" network they will get (at least from routers a deny on authority and my router will log the attempt, so that a simple log view will show what needs to happen. | |
| Yankee 2001-05-18, 2:10 pm |
| Oh....your partner is on the "other" network doing the configuring to point the traffic back to you. Me bad for misreading that the first time!
Your static route does not "go out to him" unless you guys are redistributing routes and I doubt you are. You are telling your network that to get to the 172.16.0.0 network go this way. Thus you are not limiting what traffic goes to him but he limits what traffic gets returned by only supplying those specific routes back. This may mean that you are sending alot of unnecessary traffic across the T1 that will not know how to get back and therefore is dropped.
I think I would opt for matching static routes on both sides given the choices, but if you were working as a team and both using EIGRP you could limit what routes are exchanged between you with the distribute-list command.
Just my 6 cents 
Yankee |
|
|
|