Re: Logging

From: Jordyn A. Buchanan <>
Date: Tue, 13 Jan 1998 13:18:00 -0500

At 2:59 PM -0300 1/13/98, ADMINISTRACION RED wrote:
>Hi Ryan!
>You can force the use of the proxy cache implementing an outgoing access
>list in your Cisco. At least we are doing this with some nets and it works
>I suppose the syntax depends on the model you have got. Anyway, these are
>the commands to configure a list in Cisco 2511:
>no access-list [list number]
>access-list [list number] deny tcp [net address] [netmask] any eq 80
>access-list [list number] permit tcp any any
>access-list [list number] permit udp any any
>access-list [list number] permit icmp any any
>Then, you have to declare this list in the correspondant interface.

The last three access-list statements there can be consolidated quite a bit
as follows:

no access-list [list number]
access-list [list number] deny tcp [net address] [netmask] any eq 80
access-list [list number] permit ip any any

(Unless your intention is to block various other IP protocols, which is not
necessarily a bad idea, but seems to be more of an unintended side-effect
of the original configuration rather than an intentional filtering

In any case, you'll put less strain on your router's CPU by making packets
go through the shortest list possible before they hit a match, so
consolidating the rules into the "permit ip" example I give has some
marginal benefit in that regard as well.


|Jordyn A. Buchanan |
|Bestweb Corporation |
|Senior System Administrator +1.914.271.4500 |
Received on Tue Jan 13 1998 - 10:36:04 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:38:24 MST