04-14-2013 07:09 AM - edited 03-11-2019 06:27 PM
Hi,
I'm to move devices behind the firewall and there are about 50 vlans that i need to move behind the firewall so there would be able 50 subinterfaces.
creating 50 subinterfaces & so ACL for each subinterface sounds like a lot of work and alot management & operational overhead.
can we create just one ACL and apply to that physical interface than would it be applicable to all subinterfaces?
i.e.
int po1
nameif OUTSIDE
int po1.01
nameif OUTSIDE1
int po1.02
nameif OUTSIDE1
and lets say we create an ACL "outside_in" and applied it as follow:
access-group outside_in in interface OUTSIDE
would this be applicable to all the subinterfaces or would I have to apply it saperately to those subinterfaces (I think I will have to apply saperately but just want to make it sure)?
is there another shortest and easy way to do this? we have 1000s of devices on those 50 vlans so it would be nightmare for me to create the rules if we have to create 50 ACLs for those 50 subinterfaces.
04-14-2013 07:47 AM
Hi,
You dont really have many options. And those options is based on your software level.
To be honest, I have configured interface based ACLs for such a long time that I just cant get used to using a "global" ACL. Though then again I havent really had a situation where I have had the need to control that many interfaces traffic.
Basicly on these forums for interface based ACLs I have suggested the following approach
At its simplest the ACL configurations would look something like this
object-group network BLOCKED-NETWORKS
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
network-object 10.10.30.0 255.255.255.0
access-list VLAN10 remark Allow HTTP to DMZ server
access-list VLAN10 permit tcp 10.10.10.0 255.255.255.0 host 10.10.20.20 eq http
access-list VLAN10 remark Block connections to other local networks
access-list VLAN10 deny ip any object-group BLOCKED-NETWORKS
access-list VLAN10 remark Allow all other connections
access-list VLAN10 permit ip 10.10.10.0 255.255.255.0
access-group VLAN10 in interface vlan10
Naturally if the Global ACL is something that fits better for your environment then go for that one.
Hope this helps
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide