11-03-2020 09:03 AM
We have multiple (15) locations each running their own Cisco router. At Head Office we have a Cisco router that has multiple networks attached to it (Clients LAN, Server LAN, Phone LAN, MGMT LAN).
We want to restrict the access to the Server LAN from the Clients LAN at head office and also want to restrict Server LAN access from all our remote locations. I have configured an inbound Extended ACL on the Clients LAN interface restricting access to the Server LAN at Head office, but now want to roll this out to the remote offices.
My question is, should i be going around to each remote router and implementing a similar inbound extended ACL on remote LAN ports or create an outbound extended ACL on the Head office Server LAN interface?
Whats the best Practice here?
Solved! Go to Solution.
11-03-2020 10:10 AM
Hi,
Well best practices for extended ACLs says to place them as close to the source of the traffic as possible (so remote offices) to don't waste the bandwidth but this make a lot of overhead. If the traffic that initiates connection to the server is minor then I would place ACL close to the server as this could be simpler and easier to change in the future when server will have new subnet or somehing.
11-03-2020 10:10 AM
Hi,
Well best practices for extended ACLs says to place them as close to the source of the traffic as possible (so remote offices) to don't waste the bandwidth but this make a lot of overhead. If the traffic that initiates connection to the server is minor then I would place ACL close to the server as this could be simpler and easier to change in the future when server will have new subnet or somehing.
11-04-2020 10:39 AM - edited 11-04-2020 10:39 AM
It depends on the router models, bandwidth and how often you expect to make changes to the ACL.
If you have limited bandwidth available i would define the ACL on the branch sites before traffic leaves for the HQ. If bandwidth is not an issue i would apply it on the Server VLAN in outbound direction, this way you need to maintain only a single ACL, but traffic will go through the VPN tunnel before being discarded.
Either way it sounds like it would be more applicable to deploy a firewall to do the traffic filtering.
11-04-2020 11:14 PM
What others have said about the location of the ACL, being as close to the source as possible, is still the suggested way to deploy traditional ACLs.
You also have the possibility to not provide a route for the traffic sourcing from the remote sites. Either via no route, or a route to null0, the traffic would be dropped before it can leave the branch. This might not be possible if you don't control your own routing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide