I am currently trying to lock down a firewall with only a few accept rules for actual servers/traffic. Since there is some connectivity to the internet needed (like Windows updates and such) we need to filter this with access-lists. With these access-lists i simply create a few ‘ALLOW’ rules for actual traffic and a ‘REJECT’ for all the rest.
Websites like Microsoft have big ranges worldwide and often change from location, it would be impossible to filter this based on IP’s (or even ranges) – so we are going to filter based on AS (Autonomous System) number/path.
as-path access-list xx permit 111
as-path access-list xx permit 111 222
as-path access-list xx permit 111 222 3
This would allow the following paths:
111 222 3
Cisco has the ability to use regular expressions within an as-path filter list. So you could use the following to permit traffic for the above AS numbers:
[code]as-path access-list xx permit ^(_111)+(_222)*(_3)$[/code]
As you can see, a lot shorter and way more flexible !