Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1280
Views
0
Helpful
3
Replies

Thoughts on ACL location?

JakeWalker90166
Level 1
Level 1

‎08-17-2021 08:48 AM

Hello all,

 

My workplace is wanting to get into further segmentation of resources via ACLs. For example, we would like to segment user labs in a way that allows them to specifically not be able to interact with our servers in any way, shape, or form. However, I am curious about people's thoughts on the location of the ACLs being placed.

 

Our architecture generally consists of a multi-layer switch which is used as our network core and multiple IDFs spread across a physical location. Our servers are generally located in the same physical location/room as the core switch. Would it make more sense for us to put the ACLs in place at the switch closest to user labs, or would it make more sense for the ACLs to be placed on the multi-layer core?

 

Thanks for any advice in advance!

Labels:
0 Helpful
3 Replies 3

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-17-2021 10:53 AM

Hi @JakeWalker90166,

For the traffic you want to filter/drop, it makes most sense to keep the ACL closest to the source - it makes no point for the packet to traverse entire network just to be dropped. In this case, I would place ACL on the SVI of the Lab segment. This way you are sure at very first hop what traffic can leave Lab environment.

BR,

Milos

0 Helpful

Dustin Anderson
VIP
VIP

‎08-17-2021 11:04 AM

using ISE, we send down dACLs to the access switchport to control access. This allows us to have a default basic ACL on all switchports and open/restrict on access. This also has the advantage of 1 place to make a change to them vs having to change on every access switch.

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎08-21-2021 09:47 PM

Please check out Segmentation Strategy - An ISE Prescriptive Guide 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents