Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
525
Views
0
Helpful
1
Replies

Outbound vs inbound accesslists on catalyst?

Go to solution
cisco
Level 1
Level 1

‎03-18-2013 04:47 AM - edited ‎03-07-2019 12:18 PM

Hi,

I want to configure accesslists on my Catalyst 3750X-switches to protect different VLANs/networks. Are there any best-practises or suggestions about inbound versus outbound accesslists? In my head it is more readable and easier to understand the config when accesslists are assigned outbound on the VLAN to protect instead of assigning them inbound on all possible source-VLANs. But of course, from a performance point-of-view it is better to use inbound access-lists to avoid un-necessary routing etc.

Any tips on this?

Best regards,

Thor-Egil               

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ton V Engelen
Level 3
Level 3

‎03-18-2013 07:23 AM

Hi,

i ll give it a try.

For instance, suppose i want to block rdp traffic from certain subnets, only towards my server vlan (where server vlan svi = Vlan 20)

ip access-list ext BLOCK-RDP

deny tcp eq 3389

permit ip any any

interface Vlan 20

ip access-group BLOCK-RDP out

But if i want to block for instance snmp from any client subnet (lets say here svi Vlan 30 and 40)  towards any destination in my network i would use

ip access-list ext BLOCK-SNMP

10 deny udp eq 160

20 permit ip any any

interface Vlan 30

ip access-group BLOCK-SNMP in

interface Vlan 40

ip access-group BLOCK-SNMP in

Ofcouse it all depends on the topology, but this is more or less how i use it.

I m not sure if this is best practise, ( i think best practise was something like "as close to the source as possible") but it serves all needs while hardly impacting performance.

The only performance impact i see is when adding an acl or a rule in an acl. There is a short cpu spike then, towards 30% on a 6509-E. It goes back to 10% in no time.

It will probably comsume a bit more on a 3750X.

i use about 25 acls or so on about 25 - 30 SVI's.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Ton V Engelen
Level 3
Level 3

‎03-18-2013 07:23 AM

Hi,

i ll give it a try.

For instance, suppose i want to block rdp traffic from certain subnets, only towards my server vlan (where server vlan svi = Vlan 20)

ip access-list ext BLOCK-RDP

deny tcp eq 3389

permit ip any any

interface Vlan 20

ip access-group BLOCK-RDP out

But if i want to block for instance snmp from any client subnet (lets say here svi Vlan 30 and 40)  towards any destination in my network i would use

ip access-list ext BLOCK-SNMP

10 deny udp eq 160

20 permit ip any any

interface Vlan 30

ip access-group BLOCK-SNMP in

interface Vlan 40

ip access-group BLOCK-SNMP in

Ofcouse it all depends on the topology, but this is more or less how i use it.

I m not sure if this is best practise, ( i think best practise was something like "as close to the source as possible") but it serves all needs while hardly impacting performance.

The only performance impact i see is when adding an acl or a rule in an acl. There is a short cpu spike then, towards 30% on a 6509-E. It goes back to 10% in no time.

It will probably comsume a bit more on a 3750X.

i use about 25 acls or so on about 25 - 30 SVI's.

0 Helpful
Customers Also Viewed These Support Documents