ACE access-list best practice

Unanswered Question
May 27th, 2010
User Badges:

Hi,

I was wondering what was the best practice for the access-list's on the Cisco ACE.


Should we permit Any in the access-list, and classify the traffic in the class-maps as seen in a brief example:



access-list ANY line 10 extended permit ip any any

access-list EXCH-DMZ-INTERNET-OUT line 10 extended permit tcp 10.134.10.0 255.255.254.0 any eq www

access-list EXCH-DMZ-INTERNET-OUT line 15 extended permit tcp 10.134.10.0 255.255.254.0 any eq https


class-map match-all EXCH-DMZ-INTERNET-OUT

  2 match access-list EXCH-DMZ-INTERNET-OUT


policy-map multi-match EXCH-DMZ-OUT

class EXCH-DMZ-INTERNET-OUT

    nat dynamic 1 vlan 1001


interface vlan 756

  description VLAN 744 EXCH DMZ BE

  ip address 10.134.11.253 255.255.255.0

  alias 10.134.11.254 255.255.255.0

  peer ip address 10.134.11.252 255.255.255.0

access-group input ANY

  service-policy input EXCH-DMZ-OUT



Or should we also also the access-list for the access-group in the interface as seen bellow:




access-list EXCH-DMZ-INTERNET-OUT line 10 extended permit tcp 10.134.10.0 255.255.254.0 any eq www

access-list EXCH-DMZ-INTERNET-OUT line 15 extended permit tcp 10.134.10.0 255.255.254.0 any eq https



class-map match-all EXCH-DMZ-INTERNET-OUT

  2 match access-list EXCH-DMZ-INTERNET-OUT


policy-map multi-match EXCH-DMZ-OUT

class EXCH-DMZ-INTERNET-OUT

    nat dynamic 1 vlan 1001


interface vlan 756

  description VLAN 744 EXCH DMZ BE

  ip address 10.134.11.253 255.255.255.0

  alias 10.134.11.254 255.255.255.0

  peer ip address 10.134.11.252 255.255.255.0

  access-group input EXCH-DMZ-INTERNET-OUT

  service-policy input EXCH-DMZ-OUT



Regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Sean Merrow Wed, 06/02/2010 - 07:22
User Badges:
  • Silver, 250 points or more

Hello,


I don't think you'll find a "best practice" for this scenario.  It really just comes down to meeting your needs.  The first example you have a far and away the more commonly seen configuration, as you'll only NAT the traffic matching the EXCH-DMZ-INTERNET-OUT, but all other traffic will be forwarded by the ACE whether it is load balanced or not.  The second way will only allow NAT'd traffic, and deny all others.


Hope this helps,

Sean

Actions

This Discussion