07-02-2015 06:39 AM - edited 03-08-2019 12:48 AM
We have multiple sites that use 6504s with VSS. Those 6500s have the SVIs for all VLANs within that particular site (about 50+ VLANs per site).
I'm trying to figure out the best way to apply an infrastructure ACL accross our environment. What I have works, but I want to know if there's a better way.
Of the VLANs at a site, three of the VLANs are for infrastructure items. One is for network management (all site switches), one is for lightweight wireless access points, and one is for UPS management.
I've been working on an infrastructure ACL that will only allow specific hosts and ports to those three infrastructure VLANs and the 6500 loopback. All other VLANs would be denied access to those three, but be allowed access to everything else (i.e. through the 6500s to other VLANs or to the WAN). denies on the ACL would be logged.
My other goal is to standardize the ACL accross the infrastructure, and limit the number of places it needs to be. For example, I didn't want an ACL per access layer switch due to the number of switches we have. Additionally the UPS we use don't support much in the way of ACLs.
The only way I've found to make this ACL work is to apply it 'in' (ip access-group test in) on every VLAN on the 6500s except the three infrastructure ones. I initially did 'ip access-group out' on just the infrastructure VLANs, but some Cisco products don't support logging when using 'ip access-group out'.
Problem I have is that the ACL is getting fairly large. Additionally, if in the future I want to restrict a VLAN access to another resource (i.e. a PC to a server in a different VLAN), the rule would have to be in the same ACL as my understanding (and best practice) is you can only have one ACL in a direction on an interface.
I tried looking at object based ACLs, but Cisco's support for those isn't wide enough either, so we wouldn't be able to deploy that everywhere.
Is this the best way to do this sort of thing? Is there another way I may be missing?
Here's a very short example. I didn't use IPs in the example, instead just names for devices/subnets to try to keep it clear.
ip access-list extended infrastructure_block
permit tcp host $tacacs_server eq 49 $net_mgmt_subnet
permit udp host $net_mgmt_server $net_mgmt_subnet eq 161
permit tcp host $net_mgmt_server $net_mgmt_subnet eq 22
permit tcp host $tacacs_server eq 49 $access_point_subnet
permit udp host $net_mgmt_server $access_point_subnet eq 161
permit tcp host $net_mgmt_server $access_point_subnet eq 22
permit tcp host $tacacs_server eq 49 $UPS_subnet
permit udp host $net_mgmt_server $UPS_subnet eq 161
permit tcp host $net_mgmt_server $UPS_subnet eq 22
remark deny all other traffic to those subnets and log
deny ip any $net_mgmt_subnet log
deny ip any $access_point_subnet log
deny ip any $UPS_subnet_log
remark permit all other traffic
permit ip any any
interface VLAN 10
desc User subnet
ip acecss-group infrastructure_block in
07-02-2015 07:03 AM
The only alternative is to split up the acl logic ie. you are not logging access to the restricted subnets so what you could do is -
1) use an outbound acl on those subnets only allowing the access you want
2) then for all other vlans just have your last four lines inbound on each SVI purely so you can log.
In terms of logging outbound acl entries, you say all you have 6500s and are applying the acls on those.
Are you saying you have some 6500s that don't support logging with outbound acls ?
Jon
07-02-2015 07:16 AM
Thanks for the input! At least breaking it up like that would enable a different ACL for future needs... just add the items above the deny/log ACL for that PC/server example.. That's an interesting idea!
The other devices are non-6500s.. I'm trying to make ACLs as 'standard' as possible so they are easy for our group to maintain/modify. When we apply it to NX-OS related stuff in our datacenter we ran into that out/no log stuff.
We also have some smaller sites using 29xx routers. That's where I was looking at object based ACLs. .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide