On Thu, 11 Nov 2004 15:01:36 EST, Leo Bicknell said: > Having to double the size of every ACL in your network (once for > the local address, once for the "public" address) does not seem > simpler. It also seems dangerous, since almost all devices have a > limit to ACL size. As if larger addresses wasn't already enough > penality on those boxes now we have to list each machine twice.
Actually, probably not - in the majority of cases, you can put in *one* ACL that drops (for example) all outbound packets for anything in the /32 and avoid having to list each machine twice. Yes, it's still double - but it's two subnet entries, not two copies of all 2,048 addresses in the subnet.... (Hint - you'd *have* to do it that way - you *cant* enumerate all the possible addresses in an IPv6 /64 unless your router has terabytes of memory...)
pgpALXQnFhlrU.pgp
Description: PGP signature
