Mailing List Archive

cisco ACL filter outbound only
Hello,


    I have some gear that needs a public ip, but does not have the best
security profile, and I want to put up an ACL that only permits this
gear to make outbound connections while dropping all inbound. My router
is an ASR920 running IOS-XE 03.17.03.S. Does anyone have a simple
copy/paste acl for this type of job?


Thank you.


_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: cisco ACL filter outbound only [ In reply to ]
Mike wrote on 15/09/2020 02:17:
>     I have some gear that needs a public ip, but does not have the best
> security profile, and I want to put up an ACL that only permits this
> gear to make outbound connections while dropping all inbound. My router
> is an ASR920 running IOS-XE 03.17.03.S. Does anyone have a simple
> copy/paste acl for this type of job?

you're mixing up a packet filtering ACL with a firewall ACL.

A packet filter with this sort of ACL will block all inbound traffic,
i.e. the performance will be terrific but everything will break because
return traffic will be blocked (e.g. tcp syns/acks, etc).

A firewall rule will enable dynamic outbound state management, which
seems to be what you want, but the ASR920 doesn't support it.

You need a firewall for this, not a router.

Nick
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: cisco ACL filter outbound only [ In reply to ]
On 9/15/20 3:12 AM, Nick Hilliard wrote:
> Mike wrote on 15/09/2020 02:17:
>>      I have some gear that needs a public ip, but does not have the best
>> security profile, and I want to put up an ACL that only permits this
>> gear to make outbound connections while dropping all inbound. My router
>> is an ASR920 running IOS-XE 03.17.03.S. Does anyone have a simple
>> copy/paste acl for this type of job?
>
> you're mixing up a packet filtering ACL with a firewall ACL.
>
> A packet filter with this sort of ACL will block all inbound traffic,
> i.e. the performance will be terrific but everything will break
> because return traffic will be blocked (e.g. tcp syns/acks, etc).
>
> A firewall rule will enable dynamic outbound state management, which
> seems to be what you want, but the ASR920 doesn't support it.
>
> You need a firewall for this, not a router.
>
> Nick


I ask because online cisco docs as well as the command line indicate
support for matching 'established' connections, as well as combinations
of flags:

rvhs-asr920(config-ext-nacl)#permit tcp 0.0.0.0 0.0.0.0 any ?
  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  eq           Match only packets on a given port number
  established  Match established connections
  fin          Match on the FIN bit
  fragments    Check non-initial fragments
  gt           Match only packets with a greater port number
  log          Log matches against this entry
  log-input    Log matches against this entry, including input interface
  lt           Match only packets with a lower port number
  match-all    Match if all specified flags are present
  match-any    Match if any specified flag is present
  neq          Match only packets not on a given port number
  option       Match packets with given IP Options value
  precedence   Match packets with given precedence value
  psh          Match on the PSH bit
  range        Match only packets in the range of port numbers
  rst          Match on the RST bit
  syn          Match on the SYN bit
  time-range   Specify a time-range
  tos          Match packets with given TOS value
  ttl          Match packets with given TTL value
  urg          Match on the URG bit
  <cr>


It just seems to me that it is indeed possible using the above to put it
together. Is this all just non-working on this platform?


Mike-

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: cisco ACL filter outbound only [ In reply to ]
It would probably help if you elaborated on what type of connections will be established through/from the device in question.

Sent from my iPhone

> On Sep 15, 2020, at 9:45 AM, Mike <mike+lists@yourtownonline.com> wrote:
>
> ?On 9/15/20 3:12 AM, Nick Hilliard wrote:
>> Mike wrote on 15/09/2020 02:17:
>>> I have some gear that needs a public ip, but does not have the best
>>> security profile, and I want to put up an ACL that only permits this
>>> gear to make outbound connections while dropping all inbound. My router
>>> is an ASR920 running IOS-XE 03.17.03.S. Does anyone have a simple
>>> copy/paste acl for this type of job?
>>
>> you're mixing up a packet filtering ACL with a firewall ACL.
>>
>> A packet filter with this sort of ACL will block all inbound traffic,
>> i.e. the performance will be terrific but everything will break
>> because return traffic will be blocked (e.g. tcp syns/acks, etc).
>>
>> A firewall rule will enable dynamic outbound state management, which
>> seems to be what you want, but the ASR920 doesn't support it.
>>
>> You need a firewall for this, not a router.
>>
>> Nick
>
>
> I ask because online cisco docs as well as the command line indicate
> support for matching 'established' connections, as well as combinations
> of flags:
>
> rvhs-asr920(config-ext-nacl)#permit tcp 0.0.0.0 0.0.0.0 any ?
> ack Match on the ACK bit
> dscp Match packets with given dscp value
> eq Match only packets on a given port number
> established Match established connections
> fin Match on the FIN bit
> fragments Check non-initial fragments
> gt Match only packets with a greater port number
> log Log matches against this entry
> log-input Log matches against this entry, including input interface
> lt Match only packets with a lower port number
> match-all Match if all specified flags are present
> match-any Match if any specified flag is present
> neq Match only packets not on a given port number
> option Match packets with given IP Options value
> precedence Match packets with given precedence value
> psh Match on the PSH bit
> range Match only packets in the range of port numbers
> rst Match on the RST bit
> syn Match on the SYN bit
> time-range Specify a time-range
> tos Match packets with given TOS value
> ttl Match packets with given TTL value
> urg Match on the URG bit
> <cr>
>
>
> It just seems to me that it is indeed possible using the above to put it
> together. Is this all just non-working on this platform?
>
>
> Mike-
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: cisco ACL filter outbound only [ In reply to ]
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: cisco ACL filter outbound only [ In reply to ]
On 9/15/20 8:08 AM, Brian Turnbow wrote:
>> It just seems to me that it is indeed possible using the above to put it
>> together. Is this all just non-working on this platform?
>>
> The difference is in connection state.
> An ACL does not track it so you can do
> Permit tcp any any established
> Inbound or outbound on a port , but that will only check that the ip packet has ack or rst set for the tcp session .
> I can still send you an inbound tcp packet with ack or rst set even if it did not originate from "inside" and pass your filter.
> It will also not help in any way for udp etc
> The ACL does not know that a first packet was sent out so it should await a response
> This is why you need a firewall be it on the router or external.
>
Hi,

    Again, the cli seems to indicate support for all the things
necessary, which includes the idea of 'established', which is why I ask
if THIS platform does in fact do what the cli suggests:

rvhs-asr920(config-ext-nacl)#permit tcp 0.0.0.0 0.0.0.0 any ?
  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  eq           Match only packets on a given port number
  established  Match established connections
  fin          Match on the FIN bit
  fragments    Check non-initial fragments
  gt           Match only packets with a greater port number
  log          Log matches against this entry
  log-input    Log matches against this entry, including input interface
  lt           Match only packets with a lower port number
  match-all    Match if all specified flags are present
  match-any    Match if any specified flag is present
  neq          Match only packets not on a given port number
  option       Match packets with given IP Options value
  precedence   Match packets with given precedence value
  psh          Match on the PSH bit
  range        Match only packets in the range of port numbers
  rst          Match on the RST bit
  syn          Match on the SYN bit
  time-range   Specify a time-range
  tos          Match packets with given TOS value
  ttl          Match packets with given TTL value
  urg          Match on the URG bit
  <cr>

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: cisco ACL filter outbound only [ In reply to ]
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: cisco ACL filter outbound only [ In reply to ]
As with all things... Try and it and find out
gns3.com
or
https://developer.cisco.com/modeling-labs/
or
Production

-GarrettSkj

On Tue, Sep 15, 2020 at 9:11 AM Brian Turnbow via cisco-nsp <
cisco-nsp@puck.nether.net> wrote:

>
>
>
> ---------- Forwarded message ----------
> From: Brian Turnbow <b.turnbow@twt.it>
> To: Mike <mike+lists@yourtownonline.com>, "cisco-nsp@puck.nether.net" <
> cisco-nsp@puck.nether.net>
> Cc:
> Bcc:
> Date: Tue, 15 Sep 2020 16:10:01 +0000
> Subject: RE: [c-nsp] cisco ACL filter outbound only
> >
> > Again, the cli seems to indicate support for all the things
> necessary, which
> > includes the idea of 'established', which is why I ask if THIS platform
> does in
> > fact do what the cli suggests:
> >
>
> No it doesn't
> You need to understand what established does.
> It matches TCP datagrams with ACK or RST set . That is it.
> Here is a manual regarding setting up acls that may help you
>
> https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-create-ip-apply.html
>
> Brian
>
>
>
> ---------- Forwarded message ----------
> From: Brian Turnbow via cisco-nsp <cisco-nsp@puck.nether.net>
> To: Mike <mike+lists@yourtownonline.com>, "cisco-nsp@puck.nether.net" <
> cisco-nsp@puck.nether.net>
> Cc:
> Bcc:
> Date: Tue, 15 Sep 2020 16:10:01 +0000
> Subject: Re: [c-nsp] cisco ACL filter outbound only
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: cisco ACL filter outbound only [ In reply to ]
> Again, the cli seems to indicate support for all the things
> necessary, which includes the idea of 'established', which is why I ask
> if THIS platform does in fact do what the cli suggests:

No, the ASR920 (Unless it's hiding in a recent IOS release), does not do any kind of state tracking. You'll be better served looking at the ISR or Firewall families for that.

What you're seeing in the CLI is pretty commonplace these days - to be fair, not just with Cisco - where an un-supported feature is 'left in' the command line.

If in doubt, try it. Worst case it won't work, and then you can bounce the config off TAC to get one of their "unsupported configuration" canned responses. :]
________________________________________
From: cisco-nsp <cisco-nsp-bounces@puck.nether.net> on behalf of Mike <mike+lists@yourtownonline.com>
Sent: Tuesday, September 15, 2020 8:52 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] cisco ACL filter outbound only

On 9/15/20 8:08 AM, Brian Turnbow wrote:
>> It just seems to me that it is indeed possible using the above to put it
>> together. Is this all just non-working on this platform?
>>
> The difference is in connection state.
> An ACL does not track it so you can do
> Permit tcp any any established
> Inbound or outbound on a port , but that will only check that the ip packet has ack or rst set for the tcp session .
> I can still send you an inbound tcp packet with ack or rst set even if it did not originate from "inside" and pass your filter.
> It will also not help in any way for udp etc
> The ACL does not know that a first packet was sent out so it should await a response
> This is why you need a firewall be it on the router or external.
>
Hi,

Again, the cli seems to indicate support for all the things
necessary, which includes the idea of 'established', which is why I ask
if THIS platform does in fact do what the cli suggests:

rvhs-asr920(config-ext-nacl)#permit tcp 0.0.0.0 0.0.0.0 any ?
ack Match on the ACK bit
dscp Match packets with given dscp value
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
fragments Check non-initial fragments
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
match-all Match if all specified flags are present
match-any Match if any specified flag is present
neq Match only packets not on a given port number
option Match packets with given IP Options value
precedence Match packets with given precedence value
psh Match on the PSH bit
range Match only packets in the range of port numbers
rst Match on the RST bit
syn Match on the SYN bit
time-range Specify a time-range
tos Match packets with given TOS value
ttl Match packets with given TTL value
urg Match on the URG bit
<cr>

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: cisco ACL filter outbound only [ In reply to ]
Hi Mike,

Not a Cisco solution, but you might look into a
pfsense/opnsense/ipfire/whatever appliance - either physical or
virtual.  Even a UBNT edgerouter can do basic stateful stuff if you have
one lying around.
All of these are inexpensive and (probably?) do what you need done. The
first few you can install into a VM to play with by downloading an ISO. 
The edgerouter you'd have to fake with vyos/vyatta.

Tim

On 9/14/20 7:17 PM, Mike wrote:
> Hello,
>
>
>     I have some gear that needs a public ip, but does not have the best
> security profile, and I want to put up an ACL that only permits this
> gear to make outbound connections while dropping all inbound. My router
> is an ASR920 running IOS-XE 03.17.03.S. Does anyone have a simple
> copy/paste acl for this type of job?
>
>
> Thank you.
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: cisco ACL filter outbound only [ In reply to ]
Actually standard packet filtering is supported by all Cisco products,
and most others as well. Packet filters do not do state tracking. The
packet filters you want will only work for TCP. You need to block
everything else.

outbound on the interface to "the rest of the universe":
permit tcp <source> any
deny ip <source> any
... whatever other shit you want to permit to go out ...

inbound on the interface from "the rest of the universe":
permit tcp any <source> extablished
deny ip any <source>
... whatever other shit you want to permit to go in ...

Cisco (and others) have worked this way for about 40 years.

--
Be decisive. Make a decision, right or wrong. The road of life is
paved with flat squirrels who could not make a decision.

>-----Original Message-----
>From: cisco-nsp <cisco-nsp-bounces@puck.nether.net> On Behalf Of Emille
>Blanc
>Sent: Tuesday, 15 September, 2020 10:20
>To: Mike <mike+lists@yourtownonline.com>; cisco-nsp@puck.nether.net
>Subject: Re: [c-nsp] cisco ACL filter outbound only
>
>> Again, the cli seems to indicate support for all the things
>> necessary, which includes the idea of 'established', which is why I
ask
>> if THIS platform does in fact do what the cli suggests:
>
>No, the ASR920 (Unless it's hiding in a recent IOS release), does not
do
>any kind of state tracking. You'll be better served looking at the ISR
>or Firewall families for that.
>
>What you're seeing in the CLI is pretty commonplace these days - to be
>fair, not just with Cisco - where an un-supported feature is 'left in'
>the command line.
>
>If in doubt, try it. Worst case it won't work, and then you can bounce
>the config off TAC to get one of their "unsupported configuration"
canned
>responses. :]
>________________________________________
>From: cisco-nsp <cisco-nsp-bounces@puck.nether.net> on behalf of Mike
><mike+lists@yourtownonline.com>
>Sent: Tuesday, September 15, 2020 8:52 AM
>To: cisco-nsp@puck.nether.net
>Subject: Re: [c-nsp] cisco ACL filter outbound only
>
>On 9/15/20 8:08 AM, Brian Turnbow wrote:
>>> It just seems to me that it is indeed possible using the above to
put
>it
>>> together. Is this all just non-working on this platform?
>>>
>> The difference is in connection state.
>> An ACL does not track it so you can do
>> Permit tcp any any established
>> Inbound or outbound on a port , but that will only check that the ip
>packet has ack or rst set for the tcp session .
>> I can still send you an inbound tcp packet with ack or rst set even
if
>it did not originate from "inside" and pass your filter.
>> It will also not help in any way for udp etc
>> The ACL does not know that a first packet was sent out so it should
>await a response
>> This is why you need a firewall be it on the router or external.
>>
>Hi,
>
> Again, the cli seems to indicate support for all the things
>necessary, which includes the idea of 'established', which is why I ask
>if THIS platform does in fact do what the cli suggests:
>
>rvhs-asr920(config-ext-nacl)#permit tcp 0.0.0.0 0.0.0.0 any ?
> ack Match on the ACK bit
> dscp Match packets with given dscp value
> eq Match only packets on a given port number
> established Match established connections
> fin Match on the FIN bit
> fragments Check non-initial fragments
> gt Match only packets with a greater port number
> log Log matches against this entry
> log-input Log matches against this entry, including input
interface
> lt Match only packets with a lower port number
> match-all Match if all specified flags are present
> match-any Match if any specified flag is present
> neq Match only packets not on a given port number
> option Match packets with given IP Options value
> precedence Match packets with given precedence value
> psh Match on the PSH bit
> range Match only packets in the range of port numbers
> rst Match on the RST bit
> syn Match on the SYN bit
> time-range Specify a time-range
> tos Match packets with given TOS value
> ttl Match packets with given TTL value
> urg Match on the URG bit
> <cr>
>
>_______________________________________________
>cisco-nsp mailing list cisco-nsp@puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>_______________________________________________
>cisco-nsp mailing list cisco-nsp@puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/



_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: cisco ACL filter outbound only [ In reply to ]
ooops. extablished is of course a type and should be established.
Basically that means the ACK bit is set.


--
Be decisive. Make a decision, right or wrong. The road of life is
paved with flat squirrels who could not make a decision.

>-----Original Message-----
>From: Keith Medcalf <kmedcalf@dessus.com>
>Sent: Wednesday, 16 September, 2020 04:39
>To: 'cisco-nsp@puck.nether.net' <cisco-nsp@puck.nether.net>
>Subject: RE: [c-nsp] cisco ACL filter outbound only
>
>
>Actually standard packet filtering is supported by all Cisco products,
>and most others as well. Packet filters do not do state tracking. The
>packet filters you want will only work for TCP. You need to block
>everything else.
>
>outbound on the interface to "the rest of the universe":
>permit tcp <source> any
>deny ip <source> any
>... whatever other shit you want to permit to go out ...
>
>inbound on the interface from "the rest of the universe":
>permit tcp any <source> extablished
>deny ip any <source>
>... whatever other shit you want to permit to go in ...
>
>Cisco (and others) have worked this way for about 40 years.
>
>--
>Be decisive. Make a decision, right or wrong. The road of life is
paved
>with flat squirrels who could not make a decision.
>
>>-----Original Message-----
>>From: cisco-nsp <cisco-nsp-bounces@puck.nether.net> On Behalf Of
Emille
>>Blanc
>>Sent: Tuesday, 15 September, 2020 10:20
>>To: Mike <mike+lists@yourtownonline.com>; cisco-nsp@puck.nether.net
>>Subject: Re: [c-nsp] cisco ACL filter outbound only
>>
>>> Again, the cli seems to indicate support for all the things
>>> necessary, which includes the idea of 'established', which is why I
>ask
>>> if THIS platform does in fact do what the cli suggests:
>>
>>No, the ASR920 (Unless it's hiding in a recent IOS release), does not
do
>>any kind of state tracking. You'll be better served looking at the
ISR
>>or Firewall families for that.
>>
>>What you're seeing in the CLI is pretty commonplace these days - to be
>>fair, not just with Cisco - where an un-supported feature is 'left in'
>>the command line.
>>
>>If in doubt, try it. Worst case it won't work, and then you can bounce
>>the config off TAC to get one of their "unsupported configuration"
>canned
>>responses. :]
>>________________________________________
>>From: cisco-nsp <cisco-nsp-bounces@puck.nether.net> on behalf of Mike
>><mike+lists@yourtownonline.com>
>>Sent: Tuesday, September 15, 2020 8:52 AM
>>To: cisco-nsp@puck.nether.net
>>Subject: Re: [c-nsp] cisco ACL filter outbound only
>>
>>On 9/15/20 8:08 AM, Brian Turnbow wrote:
>>>> It just seems to me that it is indeed possible using the above to
put
>>it
>>>> together. Is this all just non-working on this platform?
>>>>
>>> The difference is in connection state.
>>> An ACL does not track it so you can do
>>> Permit tcp any any established
>>> Inbound or outbound on a port , but that will only check that the ip
>>packet has ack or rst set for the tcp session .
>>> I can still send you an inbound tcp packet with ack or rst set even
>if
>>it did not originate from "inside" and pass your filter.
>>> It will also not help in any way for udp etc
>>> The ACL does not know that a first packet was sent out so it should
>>await a response
>>> This is why you need a firewall be it on the router or external.
>>>
>>Hi,
>>
>> Again, the cli seems to indicate support for all the things
>>necessary, which includes the idea of 'established', which is why I
ask
>>if THIS platform does in fact do what the cli suggests:
>>
>>rvhs-asr920(config-ext-nacl)#permit tcp 0.0.0.0 0.0.0.0 any ?
>> ack Match on the ACK bit
>> dscp Match packets with given dscp value
>> eq Match only packets on a given port number
>> established Match established connections
>> fin Match on the FIN bit
>> fragments Check non-initial fragments
>> gt Match only packets with a greater port number
>> log Log matches against this entry
>> log-input Log matches against this entry, including input
interface
>> lt Match only packets with a lower port number
>> match-all Match if all specified flags are present
>> match-any Match if any specified flag is present
>> neq Match only packets not on a given port number
>> option Match packets with given IP Options value
>> precedence Match packets with given precedence value
>> psh Match on the PSH bit
>> range Match only packets in the range of port numbers
>> rst Match on the RST bit
>> syn Match on the SYN bit
>> time-range Specify a time-range
>> tos Match packets with given TOS value
>> ttl Match packets with given TTL value
>> urg Match on the URG bit
>> <cr>
>>
>>_______________________________________________
>>cisco-nsp mailing list cisco-nsp@puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>_______________________________________________
>>cisco-nsp mailing list cisco-nsp@puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>archive at http://puck.nether.net/pipermail/cisco-nsp/



_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/