Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2505
Views
15
Helpful
3
Replies

Placement of ACL

Go to solution
arell1234
Level 1
Level 1

‎11-03-2020 09:03 AM

We have multiple (15) locations each running their own Cisco router. At Head Office we have a Cisco router that has multiple networks attached to it (Clients LAN, Server LAN, Phone LAN, MGMT LAN). 

 

We want to restrict the access to the Server LAN from the Clients LAN at head office and also want to restrict Server LAN access from all our remote locations. I have configured an inbound Extended ACL on the Clients LAN interface restricting access to the Server LAN at Head office, but now want to roll this out to the remote offices.

 

My question is, should i be going around to each remote router and implementing a similar inbound extended ACL on remote LAN ports or create an outbound extended ACL on the Head office Server LAN interface? 

 

Whats the best Practice here? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kubn2
Level 1
Level 1

‎11-03-2020 10:10 AM

Hi,

Well best practices for extended ACLs says to place them as close to the source of the traffic as possible (so remote offices) to don't waste the bandwidth but this make a lot of overhead. If the traffic that initiates connection to the server is minor then I would place ACL close to the server as this could be simpler and easier to change in the future when server will have new subnet or somehing.

View solution in original post

3 Replies 3

Go to solution
kubn2
Level 1
Level 1

‎11-03-2020 10:10 AM

Hi,

Well best practices for extended ACLs says to place them as close to the source of the traffic as possible (so remote offices) to don't waste the bandwidth but this make a lot of overhead. If the traffic that initiates connection to the server is minor then I would place ACL close to the server as this could be simpler and easier to change in the future when server will have new subnet or somehing.

Go to solution
Nicolai Borchorst
Level 1
Level 1

‎11-04-2020 10:39 AM - edited ‎11-04-2020 10:39 AM

It depends on the router models, bandwidth and how often you expect to make changes to the ACL.

If you have limited bandwidth available i would define the ACL on the branch sites before traffic leaves for the HQ. If bandwidth is not an issue i would apply it on the Server VLAN in outbound direction, this way you need to maintain only a single ACL, but traffic will go through the VPN tunnel before being discarded.

Either way it sounds like it would be more applicable to deploy a firewall to do the traffic filtering.

Best Regards
Nicolai Borchorst
CCIE Security #65775

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎11-04-2020 11:14 PM

What others have said about the location of the ACL, being as close to the source as possible, is still the suggested way to deploy traditional ACLs. 

You also have the possibility to not provide a route for the traffic sourcing from the remote sites. Either via no route, or a route to null0, the traffic would be dropped before it can leave the branch. This might not be possible if you don't control your own routing. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents