On Mar 24, 2010, at 6:51 PM, Saku Ytti wrote: > Take hosting customer, their default GW is PE, would you add all of these > addresses to 100k's of iACL > when ever new customer is provisioned?
Apologies, I don't get it. There's a 'permit IP any any' at the end of the iACL after the explicit denies for one's own netblocks; for something which you want pingable via hosting/colo customers, like a default gateway in the case you describe, just use QoS. Note that the default gateway will be drawn from the access netblockss, not the infrastructure netblocks covered by the iACL. There's no need to add all the hosting/colo customers to the iACLs, that I can see . . . ----------------------------------------------------------------------- Roland Dobbins <[email protected]> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
