Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1470
Views
0
Helpful
0
Replies

Maximum reasonable number of ACLs on Cisco ASR 9K

UIC_Network_guy
Level 1
Level 1

‎05-28-2020 08:51 AM - edited ‎05-28-2020 09:01 AM

Hi,

 

We have a couple of Cisco ASR 9Ks as our border routers with multiple 10G connections to our ISPs.  We maintain full BGP routes to our ISPs.  We periodically discover bad actors (fishing sites impersonating our login pages, ssh dictionary attacks, etc).  We add those IP addresses or net-blocks to a group object that we use to deny traffic to/from for all external connections.  The IP addresses are added on an as-needed basis.  We currently block about 150 hosts & net-blocks.  Recently, we've started noticing a large amount of probes (SSH dictionary attacks, etc.).  I suspect these have simply become more visible as our overall traffic levels have dropped due to covid and are not new.

 

We're thinking of greatly increasing our drop list (couple/several thousand aces) using any number of freely published "bad actor" IP lists.  Checking our lists against those free lists show high correlation rates. I believe the ACL drops happen in hardware but am not sure what a reasonable number is.  I cannot find any documentation on best practices for number of ACLs or similar.  I do worry that because we have low traffic, it will mask any issues and when we resume work and traffic levels climb, we'll start to experience issues until we remember the large number of blocks...

Does anyone have some advice/experience on what's reasonable?

 

Thanks,

Paul

University of Illinois at Chicago

Academic Computing and Communications Center

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents