cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

766
Views
15
Helpful
3
Replies
Highlighted
Beginner

Placement of ACL

We have multiple (15) locations each running their own Cisco router. At Head Office we have a Cisco router that has multiple networks attached to it (Clients LAN, Server LAN, Phone LAN, MGMT LAN). 

 

We want to restrict the access to the Server LAN from the Clients LAN at head office and also want to restrict Server LAN access from all our remote locations. I have configured an inbound Extended ACL on the Clients LAN interface restricting access to the Server LAN at Head office, but now want to roll this out to the remote offices.

 

My question is, should i be going around to each remote router and implementing a similar inbound extended ACL on remote LAN ports or create an outbound extended ACL on the Head office Server LAN interface? 

 

Whats the best Practice here? 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Hi,

Well best practices for extended ACLs says to place them as close to the source of the traffic as possible (so remote offices) to don't waste the bandwidth but this make a lot of overhead. If the traffic that initiates connection to the server is minor then I would place ACL close to the server as this could be simpler and easier to change in the future when server will have new subnet or somehing.

View solution in original post

3 REPLIES 3
Highlighted
Beginner

Hi,

Well best practices for extended ACLs says to place them as close to the source of the traffic as possible (so remote offices) to don't waste the bandwidth but this make a lot of overhead. If the traffic that initiates connection to the server is minor then I would place ACL close to the server as this could be simpler and easier to change in the future when server will have new subnet or somehing.

View solution in original post

Highlighted

It depends on the router models, bandwidth and how often you expect to make changes to the ACL.

If you have limited bandwidth available i would define the ACL on the branch sites before traffic leaves for the HQ. If bandwidth is not an issue i would apply it on the Server VLAN in outbound direction, this way you need to maintain only a single ACL, but traffic will go through the VPN tunnel before being discarded.

Either way it sounds like it would be more applicable to deploy a firewall to do the traffic filtering.

Best Regards
Nicolai Borchorst
*** Don't forget to rate useful posts. ***
Highlighted
VIP Advisor

What others have said about the location of the ACL, being as close to the source as possible, is still the suggested way to deploy traditional ACLs. 

You also have the possibility to not provide a route for the traffic sourcing from the remote sites. Either via no route, or a route to null0, the traffic would be dropped before it can leave the branch. This might not be possible if you don't control your own routing. 

Content for Community-Ad