sunhux
asked on
Help review Cisco ACL
We have about 30 small branch offices (ie the spoke) that are connected back to the data centre (ie the hub),
each via leased line.
There are 2 services that we would like to restrict to each of the branches (ie don't want the Tcp port accessible
elsewhere in the corporate & not accessible between the branches) & the services listens on Tcp 8000 & 8222.
Q1:
If I want to apply ACLs on each branch's WAN router to block the 2 TCP ports from being reachable, should the
ACL be applied on the WAN router's LAN interface (ie facing the branch's LAN) or the router's serial interface
(facing the leased line towards the datacentre)?
Q2:
Can correct/review my suggested extended ACL below? Assuming a.b.c.d is the IP address of the branch's
1st server listening on Tcp8000 & e.f.g.h is the IP of the 2nd server listening on Tcp8222
Assuming it's applied on the LAN/ethernet interface of the router, I think (but do correct me), it looks like:
interface Ethernet0
ip access-group 102 in [or should it be 'out' ?]
access-list 102 deny tcp any any eq 8000 log
access-list 102 deny tcp any any eq 8222 log
access-list 102 permit ip any any
What if it's applied on the serial interface, how does the ACL looks like?
each via leased line.
There are 2 services that we would like to restrict to each of the branches (ie don't want the Tcp port accessible
elsewhere in the corporate & not accessible between the branches) & the services listens on Tcp 8000 & 8222.
Q1:
If I want to apply ACLs on each branch's WAN router to block the 2 TCP ports from being reachable, should the
ACL be applied on the WAN router's LAN interface (ie facing the branch's LAN) or the router's serial interface
(facing the leased line towards the datacentre)?
Q2:
Can correct/review my suggested extended ACL below? Assuming a.b.c.d is the IP address of the branch's
1st server listening on Tcp8000 & e.f.g.h is the IP of the 2nd server listening on Tcp8222
Assuming it's applied on the LAN/ethernet interface of the router, I think (but do correct me), it looks like:
interface Ethernet0
ip access-group 102 in [or should it be 'out' ?]
access-list 102 deny tcp any any eq 8000 log
access-list 102 deny tcp any any eq 8222 log
access-list 102 permit ip any any
What if it's applied on the serial interface, how does the ACL looks like?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Last question:
Does TACACS+ enable us to centrally push these ACLs to the 30 x2 routers (each branch has
2 routers on HSRP with one router as primary for one HSRP group & the other router as
primary for another HSRP group) or we have to login to the 60 routers one by one to paste
them in
Does TACACS+ enable us to centrally push these ACLs to the 30 x2 routers (each branch has
2 routers on HSRP with one router as primary for one HSRP group & the other router as
primary for another HSRP group) or we have to login to the 60 routers one by one to paste
them in
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Justin's comment is spot on.
One of the things that I've always taught is that the sooner you can discard traffic, the better. By checking inbound, the traffic is discarded before the routing table lookup (and a few other checks).
Back in the day, this was a significant point because fast switching was just coming out (yeah, I'm that old). Now days, it may not be as significant, but it doesn't hurt.
One of the things that I've always taught is that the sooner you can discard traffic, the better. By checking inbound, the traffic is discarded before the routing table lookup (and a few other checks).
Back in the day, this was a significant point because fast switching was just coming out (yeah, I'm that old). Now days, it may not be as significant, but it doesn't hurt.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
https://supportforums.cisco.com/t5/security-management/need-acl-manager-access-control-list-manager-is-eol/td-p/2625070
The link above seems to say CSM is not meant to manage ACLs or I read it wrongly?
The routers are 29xx (mostly 2911K9).
Anyone care to share Perl/Python scripts that could "push down or update"
ACLs into the multiple routers? Or does Cisco Prime do this?
Btw, what's the advantage of placing the ACL at the serial vs at the ethernet interface?
The link above seems to say CSM is not meant to manage ACLs or I read it wrongly?
The routers are 29xx (mostly 2911K9).
Anyone care to share Perl/Python scripts that could "push down or update"
ACLs into the multiple routers? Or does Cisco Prime do this?
Btw, what's the advantage of placing the ACL at the serial vs at the ethernet interface?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>traffic you are wanting to block is originating from within your network
So my LAN (ie the adjacent interface) is where the DB services are running desktops
ie where the ports are listening while the clients that I want to block are coming in
via the WAN/serial, so the originating traffic is from the LAN or WAN?
In this case, I wanted to block traffic coming from WAN to the LAN, the ACL should
be on the Ethernet0 ?
So my LAN (ie the adjacent interface) is where the DB services are running desktops
ie where the ports are listening while the clients that I want to block are coming in
via the WAN/serial, so the originating traffic is from the LAN or WAN?
In this case, I wanted to block traffic coming from WAN to the LAN, the ACL should
be on the Ethernet0 ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
In the numerous branch offices, a couple of the PCs are listening on a certain DB2 services,
so the device(s) issuing TCP SYN is outside of the branches
so the device(s) issuing TCP SYN is outside of the branches
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Which is a better practice, apply an ACL on the serial interface or the Ethernet interface?