Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cisco>
  3. BBA
isolate virtual access interfaces
achatz at forthnet
Jul 6, 2006, 3:39 AM
Post #1 of 8 (5515 views)
Permalink
Is there an easy way of making all the vpdn sessions terminating under a common vtemplate (through
l2tp) not to be able to see each other (but continue to have access to everywhere else)?

--
Tassos
_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba
Re: isolate virtual access interfaces [ In reply to ]
ariev at vayner
Jul 6, 2006, 10:33 AM
Post #2 of 8 (5387 views)
Permalink
Tassos,

A few ideas:

1. Configure an ACL in the vtemplate blocking all egress traffic with
sources from the forbidden range.

2. Configure a route-map for all traffic received over the ppp
sessions, pointing all the traffic to an upstream firewall (which is
next-hop of the LNS), and apply a similar policy as (1).

Arie
CCIE#12198

On 7/6/06, Tassos Chatzithomaoglou <achatz@forthnet.gr> wrote:
> Is there an easy way of making all the vpdn sessions terminating under a common vtemplate (through
> l2tp) not to be able to see each other (but continue to have access to everywhere else)?
>
> --
> Tassos
> _______________________________________________
> cisco-bba mailing list
> cisco-bba@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba
>
_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba
Re: isolate virtual access interfaces [ In reply to ]
oboehmer at cisco
Jul 6, 2006, 10:54 AM
Post #3 of 8 (5387 views)
Permalink
Tassos Chatzithomaoglou <> wrote on Thursday, July 06, 2006 12:39 PM:

> Is there an easy way of making all the vpdn sessions terminating
> under a common vtemplate (through l2tp) not to be able to see each
> other (but continue to have access to everywhere else)?

If you can put the subscribers into a VRF (possibly using VRF-lite),
check out the Half-Duplex VRF feature which does exactly what you
require. Platform support for this is limited..

oli

_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba
Re: isolate virtual access interfaces [ In reply to ]
achatz at forthnet
Jul 6, 2006, 11:32 AM
Post #4 of 8 (5379 views)
Permalink
Arie Vayner wrote on 6/7/2006 20:33:
> Tassos,
>
> A few ideas:
>
> 1. Configure an ACL in the vtemplate blocking all egress traffic with
> sources from the forbidden range.
>

That seems an easy one.
I still wonder why i didn't think of this one before.

Thanks Arie ;)

--
Tassos

> 2. Configure a route-map for all traffic received over the ppp
> sessions, pointing all the traffic to an upstream firewall (which is
> next-hop of the LNS), and apply a similar policy as (1).
>
> Arie
> CCIE#12198
>
> On 7/6/06, Tassos Chatzithomaoglou <achatz@forthnet.gr> wrote:
>> Is there an easy way of making all the vpdn sessions terminating under
>> a common vtemplate (through
>> l2tp) not to be able to see each other (but continue to have access to
>> everywhere else)?
>>
>> --
>> Tassos
>> _______________________________________________
>> cisco-bba mailing list
>> cisco-bba@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-bba
>>
>

_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba
Re: isolate virtual access interfaces [ In reply to ]
achatz at forthnet
Jul 6, 2006, 11:38 AM
Post #5 of 8 (5370 views)
Permalink
That would be a very nice implementation (although trickier than simple acls), but according to CCO
it's supported only on 10k.

--
Tassos

Oliver Boehmer (oboehmer) wrote on 6/7/2006 20:54:
> Tassos Chatzithomaoglou <> wrote on Thursday, July 06, 2006 12:39 PM:
>
>> Is there an easy way of making all the vpdn sessions terminating
>> under a common vtemplate (through l2tp) not to be able to see each
>> other (but continue to have access to everywhere else)?
>
> If you can put the subscribers into a VRF (possibly using VRF-lite),
> check out the Half-Duplex VRF feature which does exactly what you
> require. Platform support for this is limited..
>
> oli
>
_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba
Re: isolate virtual access interfaces [ In reply to ]
achatz at forthnet
Jul 6, 2006, 11:58 AM
Post #6 of 8 (5390 views)
Permalink
Something else too...
If the vtemplate gets its ips from 192.168.1.0/24, would there be any actual difference between the
following two:

1)
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip any any

int virtual-template 100
ip access-group 100 out

2)
access-list 100 deny ip any 192.168.1.0 0.0.0.255
access-list 100 permit ip any any

int virtual-template 100
ip access-group 100 in


Tassos Chatzithomaoglou wrote on 6/7/2006 21:32:
>
>
> Arie Vayner wrote on 6/7/2006 20:33:
>> Tassos,
>>
>> A few ideas:
>>
>> 1. Configure an ACL in the vtemplate blocking all egress traffic with
>> sources from the forbidden range.
>>
>
> That seems an easy one.
> I still wonder why i didn't think of this one before.
>
> Thanks Arie ;)
>
> --
> Tassos
>
>> 2. Configure a route-map for all traffic received over the ppp
>> sessions, pointing all the traffic to an upstream firewall (which is
>> next-hop of the LNS), and apply a similar policy as (1).
>>
>> Arie
>> CCIE#12198
>>
>> On 7/6/06, Tassos Chatzithomaoglou <achatz@forthnet.gr> wrote:
>>> Is there an easy way of making all the vpdn sessions terminating
>>> under a common vtemplate (through
>>> l2tp) not to be able to see each other (but continue to have access
>>> to everywhere else)?
>>>
>>> --
>>> Tassos
>>> _______________________________________________
>>> cisco-bba mailing list
>>> cisco-bba@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-bba
>>>
>>
>
>

--
***************************************
Tassos Chatzithomaoglou
Network Design & Development Department
FORTHnet S.A.
<achatz@forthnet.gr>
***************************************
_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba
Re: isolate virtual access interfaces [ In reply to ]
ariev at vayner
Jul 6, 2006, 2:34 PM
Post #7 of 8 (5377 views)
Permalink
Option #2 would block the packets earlier in the process,
theoretically using less resources. On HW based platforms I think it
would be the same.

Effectively, I do not think there is a big difference...

Arie

On 7/6/06, Tassos Chatzithomaoglou <achatz@forthnet.gr> wrote:
> Something else too...
> If the vtemplate gets its ips from 192.168.1.0/24, would there be any actual difference between the
> following two:
>
> 1)
> access-list 100 deny ip 192.168.1.0 0.0.0.255 any
> access-list 100 permit ip any any
>
> int virtual-template 100
> ip access-group 100 out
>
> 2)
> access-list 100 deny ip any 192.168.1.0 0.0.0.255
> access-list 100 permit ip any any
>
> int virtual-template 100
> ip access-group 100 in
>
>
> Tassos Chatzithomaoglou wrote on 6/7/2006 21:32:
> >
> >
> > Arie Vayner wrote on 6/7/2006 20:33:
> >> Tassos,
> >>
> >> A few ideas:
> >>
> >> 1. Configure an ACL in the vtemplate blocking all egress traffic with
> >> sources from the forbidden range.
> >>
> >
> > That seems an easy one.
> > I still wonder why i didn't think of this one before.
> >
> > Thanks Arie ;)
> >
> > --
> > Tassos
> >
> >> 2. Configure a route-map for all traffic received over the ppp
> >> sessions, pointing all the traffic to an upstream firewall (which is
> >> next-hop of the LNS), and apply a similar policy as (1).
> >>
> >> Arie
> >> CCIE#12198
> >>
> >> On 7/6/06, Tassos Chatzithomaoglou <achatz@forthnet.gr> wrote:
> >>> Is there an easy way of making all the vpdn sessions terminating
> >>> under a common vtemplate (through
> >>> l2tp) not to be able to see each other (but continue to have access
> >>> to everywhere else)?
> >>>
> >>> --
> >>> Tassos
> >>> _______________________________________________
> >>> cisco-bba mailing list
> >>> cisco-bba@puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/cisco-bba
> >>>
> >>
> >
> >
>
> --
> ***************************************
> Tassos Chatzithomaoglou
> Network Design & Development Department
> FORTHnet S.A.
> <achatz@forthnet.gr>
> ***************************************
> _______________________________________________
> cisco-bba mailing list
> cisco-bba@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba
>
_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba
Re: isolate virtual access interfaces [ In reply to ]
oboehmer at cisco
Jul 6, 2006, 10:07 PM
Post #8 of 8 (5390 views)
Permalink
side note: Option #2 would allow you to plug in an Infrastructure ACL,
i.e. protecting your core network infrastructure addresses..

oli

Arie Vayner <> wrote on Thursday, July 06, 2006 11:35 PM:

> Option #2 would block the packets earlier in the process,
> theoretically using less resources. On HW based platforms I think it
> would be the same.
>
> Effectively, I do not think there is a big difference...
>
> Arie
>
> On 7/6/06, Tassos Chatzithomaoglou <achatz@forthnet.gr> wrote:
>> Something else too...
>> If the vtemplate gets its ips from 192.168.1.0/24, would there be
>> any actual difference between the following two:
>>
>> 1)
>> access-list 100 deny ip 192.168.1.0 0.0.0.255 any
>> access-list 100 permit ip any any
>>
>> int virtual-template 100
>> ip access-group 100 out
>>
>> 2)
>> access-list 100 deny ip any 192.168.1.0 0.0.0.255
>> access-list 100 permit ip any any
>>
>> int virtual-template 100
>> ip access-group 100 in
>>
>>
>> Tassos Chatzithomaoglou wrote on 6/7/2006 21:32:
>>>
>>>
>>> Arie Vayner wrote on 6/7/2006 20:33:
>>>> Tassos,
>>>>
>>>> A few ideas:
>>>>
>>>> 1. Configure an ACL in the vtemplate blocking all egress traffic
>>>> with sources from the forbidden range.
>>>>
>>>
>>> That seems an easy one.
>>> I still wonder why i didn't think of this one before.
>>>
>>> Thanks Arie ;)
>>>
>>> --
>>> Tassos
>>>
>>>> 2. Configure a route-map for all traffic received over the ppp
>>>> sessions, pointing all the traffic to an upstream firewall (which
>>>> is next-hop of the LNS), and apply a similar policy as (1).
>>>>
>>>> Arie
>>>> CCIE#12198
>>>>
>>>> On 7/6/06, Tassos Chatzithomaoglou <achatz@forthnet.gr> wrote:
>>>>> Is there an easy way of making all the vpdn sessions terminating
>>>>> under a common vtemplate (through
>>>>> l2tp) not to be able to see each other (but continue to have
>>>>> access to everywhere else)?
>>>>>
>>>>> --
>>>>> Tassos
>>>>> _______________________________________________
>>>>> cisco-bba mailing list
>>>>> cisco-bba@puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-bba
>>>>>
>>>>
>>>
>>>
>>
>> --
>> ***************************************
>> Tassos Chatzithomaoglou
>> Network Design & Development Department
>> FORTHnet S.A.
>> <achatz@forthnet.gr>
>> ***************************************
>> _______________________________________________
>> cisco-bba mailing list
>> cisco-bba@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-bba
>>
> _______________________________________________
> cisco-bba mailing list
> cisco-bba@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-bba

_______________________________________________
cisco-bba mailing list
cisco-bba@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-bba

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal