Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
0
Helpful
2
Replies

6500 infrastructure ACL on SVI

Erik
Level 1
Level 1

‎07-02-2015 06:39 AM - edited ‎03-08-2019 12:48 AM

We have multiple sites that use 6504s with VSS.  Those 6500s have the SVIs for all VLANs within that particular site (about 50+ VLANs per site).

I'm trying to figure out the best way to apply an infrastructure ACL accross our environment.  What I have works, but I want to know if there's a better way.

 

Of the VLANs at a site, three of the VLANs are for infrastructure items.  One is for network management (all site switches), one is for lightweight wireless access points, and one is for UPS management.

I've been working on an infrastructure ACL that will only allow specific hosts and ports to those three infrastructure VLANs and the 6500 loopback.  All other VLANs would be denied access to those three, but be allowed access to everything else (i.e. through the 6500s to other VLANs or to the WAN). denies on the ACL would be logged.

My other goal is to standardize the ACL accross the infrastructure, and limit the number of places it needs to be.  For example, I didn't want an ACL per access layer switch due to the number of switches we have.  Additionally the UPS we use don't support much in the way of ACLs.

 

The only way I've found to make this ACL work is to apply it 'in' (ip access-group test in) on every VLAN on the 6500s except the three infrastructure ones.  I initially did 'ip access-group out' on just the infrastructure VLANs, but some Cisco products don't support logging when using 'ip access-group out'.

Problem I have is that the ACL is getting fairly large.  Additionally, if in the future I want to restrict a VLAN access to another resource (i.e. a PC to a server in a different VLAN), the rule would have to be in the same ACL as my understanding (and best practice) is you can only have one ACL in a direction on an interface.

I tried looking at object based ACLs, but Cisco's support for those isn't wide enough either, so we wouldn't be able to deploy that everywhere.

 

Is this the best way to do this sort of thing?  Is there another way I may be missing?

 

Here's a very short example.  I didn't use IPs in the example, instead just names for devices/subnets to try to keep it clear.

 

ip access-list extended infrastructure_block

permit tcp host $tacacs_server eq 49 $net_mgmt_subnet

permit udp host $net_mgmt_server $net_mgmt_subnet eq 161

permit tcp host $net_mgmt_server $net_mgmt_subnet eq 22

permit tcp host $tacacs_server eq 49 $access_point_subnet

permit udp host $net_mgmt_server $access_point_subnet eq 161

permit tcp host $net_mgmt_server $access_point_subnet eq 22

permit tcp host $tacacs_server eq 49 $UPS_subnet

permit udp host $net_mgmt_server $UPS_subnet eq 161

permit tcp host $net_mgmt_server $UPS_subnet eq 22

remark deny all other traffic to those subnets and log

deny ip any $net_mgmt_subnet log

deny ip any $access_point_subnet log

deny ip any $UPS_subnet_log

remark permit all other traffic

permit ip any any

 

interface VLAN 10

desc User subnet

ip acecss-group infrastructure_block in

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎07-02-2015 07:03 AM

The only alternative is to split up the acl logic ie. you are not logging access to the restricted subnets so what you could do is -

1) use an outbound acl on those subnets only allowing the access you want

2) then for all other vlans just have your last four lines inbound on each SVI purely so you can log.

In terms of logging outbound acl entries, you say all you have 6500s and are applying the acls on those.

Are you saying you have some 6500s that don't support logging with outbound acls ?

Jon

0 Helpful

Erik
Level 1
Level 1
In response to Jon Marshall

‎07-02-2015 07:16 AM

Thanks for the input!  At least breaking it up like that would enable a different ACL for future needs... just add the items above the deny/log ACL for that PC/server example.. That's an interesting idea!

The other devices are non-6500s.. I'm trying to make ACLs as 'standard' as possible so they are easy for our group to maintain/modify.  When we apply it to NX-OS related stuff in our datacenter we ran into that out/no log stuff. 

We also have some smaller sites using 29xx routers.  That's where I was looking at object based ACLs.   .  

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card