Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1157
Views
5
Helpful
4
Replies

Design Question - Where to put up ACL's in MPLS network

Go to solution
tylerlucas
Level 1
Level 1

‎12-15-2010 08:32 AM

We have an MPLS network with about 100 remote branches - all connect back to my Cisco 3845 at the head-end in our datacenter.

I'm wondering how Cisco recommends to use Access-Lists in a situation like this.  If I put ACL's on the remote branches, I have to update all 100 sites every time something changes at the datacenter (new subnet, for example).  If I don't put ACL's at the remote branches, but instead put them on the 3845, I can make changes easily, but the branches can access each other with no security in-between because the MPLS network is a full mesh.

Any recommendations? Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JoeKeegan3
Level 1
Level 1
In response to tylerlucas

‎12-15-2010 12:39 PM

It really depends on your security policy and your acceptance of risk, but honestly it's not an uncommon setup.

Voice, as you say, can change the site to site traffic behavior. There are advance ways to deal with this, such as splitting Voice and Data into different VRF/VPNs.

Like anything it's a trade off  between security and complexity.

- No ACLs facing the MPLS - Simple but no security

- ACL only at the Data Center facing the MPLS, still pretty simple, some security

- ACLs on all the sites and data center, simple design, but operationally complex, good security

- Hub and Spoke VPN or Overlay network to centralize security policy, complex design, operationally simple, good security.

There isn't really a right answer, it depends on your orginization's acceptance of risk and willingness to mitigate those risks.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
JoeKeegan3
Level 1
Level 1

‎12-15-2010 10:45 AM

It really depends on the traffic between each of the branch sites.

If there isn't a lot of traffic between each of the branch sites then you can look at deploying a hub-and-spoke VPN, where each remote site has to go trough the data center to reach each other.

From a MPLS point of view this involves using a specific RT for each site (or a RT for the remote sites and a RT for the DC) then import the remote site RTs in the PE connected to the DC and only import the DC RTs into the PEs connected to branch sites.

This requires all traffic between each of the branch sites to "hair pin" through the DC (I.e. the traffic is sent to the DC and then sent right back out to the cloud). This can get a bit tricky to design from a routing point of view, especially if you want to have the traffic go through a firewall.

An other way to centralize the security policy is to build an overlay network using tunnels (GRE) between the DC and the remote sites over the cloud. Routing design is a bit easier for this, but you have to manage tunnels and your equipment needs to support.

And depending on the sites you could build Ethernet Virtual Circuits (EVCs) or E-Line service between the sites. Which would be similar to the overlay option, but without the tunnels.

Of course this assumes almost all the traffic is Branch Office <--> DC and not much Branch <--> Branch.

If you do have lots of Branch <--> Branch traffic and you your security policy requires each site to filter traffic between the branches, the applying ACS to the CEs is really the only way to do that.

Hope that helps,

Joe

Go to solution
tylerlucas
Level 1
Level 1
In response to JoeKeegan3

‎12-15-2010 12:04 PM

Joe - thanks for the response.

Would it be considered a big security risk to allow the remote branches talk to each other freely through the MPLS mesh, and have all security policies on the head-end at the 3845?

There is very little traffic going from site-to-site.  There IS voice, though.  When I first deployed I was not allowing direct access between sites - I couldn't think of a reason they would need it.  Of course once we turned on voice throughout the network, the sites could not hear each other.  (Phones would ring since that is handled by PBX, but actual RTP was not making it, so it was dead air).

Anyway.  I don't mind letting the 3845 handle the security as long as this isn't considered a big risk.  All the sites have ONLY MPLS connections, so there is no broadband or anything.  They must go through our datacenter.

Thanks again,

Tyler

0 Helpful

Go to solution
JoeKeegan3
Level 1
Level 1
In response to tylerlucas

‎12-15-2010 12:39 PM

It really depends on your security policy and your acceptance of risk, but honestly it's not an uncommon setup.

Voice, as you say, can change the site to site traffic behavior. There are advance ways to deal with this, such as splitting Voice and Data into different VRF/VPNs.

Like anything it's a trade off  between security and complexity.

- No ACLs facing the MPLS - Simple but no security

- ACL only at the Data Center facing the MPLS, still pretty simple, some security

- ACLs on all the sites and data center, simple design, but operationally complex, good security

- Hub and Spoke VPN or Overlay network to centralize security policy, complex design, operationally simple, good security.

There isn't really a right answer, it depends on your orginization's acceptance of risk and willingness to mitigate those risks.

0 Helpful

Go to solution
tylerlucas
Level 1
Level 1
In response to JoeKeegan3

‎12-15-2010 12:41 PM

Thank you for your help

0 Helpful
Customers Also Viewed These Support Documents