Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1452
Views
0
Helpful
3
Replies

ACL consolidation

Greg Wrobel
Level 1
Level 1

‎12-30-2013 08:27 AM - edited ‎02-21-2020 05:04 AM

Hi,

I'm trying to figure out the best way to consolidate the long ACL I created, so that my 3560G won't have to spend alot of time processing it. It's purpose is to limit the access for certain users after they use VPN to connect to work. The picture below shows entiries in the ACL, I used Network Assistent to do this.The ACL is attached to the inbound interface (C3560G) for the outbound connection from VPN server, I hope that makes sense.

Thanks!

Capture.JPG

0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎12-30-2013 10:21 AM

Unless you run out of TCAM-ressources, the switch will not process the optimized ACL faster then it is now.

But why don't you configure the access-control directly on your VPN-Gateway? That makes much more sense.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Greg Wrobel
Level 1
Level 1
In response to Karsten Iwen

‎12-30-2013 07:01 PM

Well, I use RRAS on windows 2008r2 for VPN and I don't see option there for this kind of access control.

0 Helpful

Karsten Iwen
VIP
VIP
In response to Greg Wrobel

‎12-31-2013 01:11 AM

Ok, if your RRAS doesn't suppport access-control, then you have to use your switch for that. As I said, you won't get any performance improvements in optimization. My advice would be to group your ACL in a way that is as much readable as possible. With that it's not that likely to make configuration-mistakes as it is the case with optimized ACLs on routers where an often heard advice is, that the entries that match often have to be moved to the top.

An optimization that is possible and quite useful is match your users to ip subnets on the RRAS based on function. If for example all restricted users get an IP in the 192.168.8.128/28 range (which is 192.168.8.128 to 192.168.8.143) then you only need one line each for your permits and denys on the switch. And you don't have to touch the switch when a new user is assigned the restricted role. In the same way you configure a range for unrestricted users.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card