06-06-2016 11:45 AM - edited 02-20-2020 09:44 PM
Dear All,
kindly tell me how can i use ACL for network filtering on all uplink and switch ports, below observation and recommendation from security officer
Observation During our review we have noted that 62 network interfaces on CSW01 had no network filtering rules assigned,
Recommendation It is recommended that all network interfaces should be configured filtering to help prevent unauthorized access to network services and hosts. (i don't understand which traffic i have to block and allow "usually which traffic do you block in your network". What is the best practices ??)
06-06-2016 04:01 PM
Hi
it seems that you have been asked to do acl for 62 SVI. It's on a switch?
in order to have a lisible and simple configuration, you can use object groups then you can re-use them in all acls.
what are best practices? It really depends on what users behind each networks needs to access.
for sure, you will have to permit dns and dhcp, maybe some icmp for your troubleshooting,.. But it really depend on what you want to filter. You may ask you security officer, what he's expecting to be blocked and allow on the network.
06-07-2016 01:30 AM
Actually he mentioned physical ports & Trunk port all ports are connected to client PCS and servers we have proxy, DC and Exchange servers. Sure i will ask him, also i want to know from security engineers what they block in their network for better understanding.
06-07-2016 04:23 AM
On my side, I'm deploying dot1x on quite all networks and authorizing only dns, dhcp and radius server. The policy is then pushed by radius depending on user authentication. After authentication, I deploy SGT (Cisco Trustsec) or doing acls depending on customer security (which user should access which services).
For smallest network, where there ain't radius server, I'm doing mac security on physical ports but acls as explained before.
The goal is to build a matrix of what should be accessed by users, doing acls and applying to SVI.
For trunks between switches (if supported), you can use macsec to encrypt traffic.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide