Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1832
Views
0
Helpful
1
Replies

ACE access-list best practice

stephg
Level 1
Level 1

‎05-27-2010 08:13 AM

Hi,

I was wondering what was the best practice for the access-list's on the Cisco ACE.

Should we permit Any in the access-list, and classify the traffic in the class-maps as seen in a brief example:

access-list ANY line 10 extended permit ip any any

access-list EXCH-DMZ-INTERNET-OUT line 10 extended permit tcp 10.134.10.0 255.255.254.0 any eq www

access-list EXCH-DMZ-INTERNET-OUT line 15 extended permit tcp 10.134.10.0 255.255.254.0 any eq https

class-map match-all EXCH-DMZ-INTERNET-OUT

  2 match access-list EXCH-DMZ-INTERNET-OUT

policy-map multi-match EXCH-DMZ-OUT

class EXCH-DMZ-INTERNET-OUT

    nat dynamic 1 vlan 1001

interface vlan 756

  description VLAN 744 EXCH DMZ BE

  ip address 10.134.11.253 255.255.255.0

  alias 10.134.11.254 255.255.255.0

  peer ip address 10.134.11.252 255.255.255.0

access-group input ANY

  service-policy input EXCH-DMZ-OUT

Or should we also also the access-list for the access-group in the interface as seen bellow:

access-list EXCH-DMZ-INTERNET-OUT line 10 extended permit tcp 10.134.10.0 255.255.254.0 any eq www

access-list EXCH-DMZ-INTERNET-OUT line 15 extended permit tcp 10.134.10.0 255.255.254.0 any eq https

class-map match-all EXCH-DMZ-INTERNET-OUT

  2 match access-list EXCH-DMZ-INTERNET-OUT

policy-map multi-match EXCH-DMZ-OUT

class EXCH-DMZ-INTERNET-OUT

    nat dynamic 1 vlan 1001

interface vlan 756

  description VLAN 744 EXCH DMZ BE

  ip address 10.134.11.253 255.255.255.0

  alias 10.134.11.254 255.255.255.0

  peer ip address 10.134.11.252 255.255.255.0

  access-group input EXCH-DMZ-INTERNET-OUT

  service-policy input EXCH-DMZ-OUT

Regards,

Labels:
0 Helpful
1 Reply 1

Sean Merrow
Level 4
Level 4

‎06-02-2010 07:22 AM

Hello,

I don't think you'll find a "best practice" for this scenario.  It really just comes down to meeting your needs.  The first example you have a far and away the more commonly seen configuration, as you'll only NAT the traffic matching the EXCH-DMZ-INTERNET-OUT, but all other traffic will be forwarded by the ACE whether it is load balanced or not.  The second way will only allow NAT'd traffic, and deny all others.

Hope this helps,

Sean

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents