Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
354
Views
0
Helpful
1
Replies

Remote Site security !

illusion_rox
Level 1
Level 1

‎10-01-2009 04:30 AM - edited ‎03-06-2019 07:57 AM

Hi all. I have almost 100+ remote sites and management has decided to use security and remote branch end to only allow few specific IPs to access resources to/from that site. For eg Consider Site1 with LAN subnet 10.1.56.0/24, now the actual access-list entries are different but just to explain my point i am listing 3 of them here

ip access-list ex Outbound

per ip host 10.1.56.26 host 10.1.1.4

per ip host 10.1.56.8 host 10.1.2.26

per ip 10.1.56.0 0.0.0.255 host 10.1.1.8

and also its exact replica

ip access-list ex Inbound

per ip host 10.1.1.4 host 10.1.56.26

per ip host 10.1.2.26 host 10.1.56.28

per ip host 10.1.1.8 10.1.56.0 0.0.0.255

Now communication can be initiated from either side, i.e. either

10.1.1.4 -> 10.1.56.26

OR

10.1.56.26 -> 10.1.1.4

I thought of using reflexive list but i think it wont work here since communication is bi-directional. If i need to add an entry i have to add it on 2 list and since number of sites are large i am suspecting it will be a great overhead, but one thing is decided that this security must be applied on SITE end and not HUB end. So now is there any way that if i create and entry with permit statement its exact replica is also created ? i hope you are getting the idea, i dont want to create 2 seperate access-list, just one that can also allows an entry's replica as well.

Pls guide me in this

Labels:
0 Helpful
1 Reply 1

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎10-01-2009 08:35 AM

Hello Ovais,

CBAC context Based Access Lists could be of help or also reflexive ACLs.

CBAC can work well but it requires firewall feature set and its modern equivalent advipservices and above.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c5.html

However, this kind of solution is difficult to manage even if you achieve what you are looking for, it is clear management is not realizing the overhead of this solution.

Also with standard ACLs blocking or permitting one side of communication should be enough.

Sincerly, the best would be to review this decision but I understand that it is difficult.

Hope to help

Giuseppe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card