Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE access-list best practice

Hi,

I was wondering what was the best practice for the access-list's on the Cisco ACE.

Should we permit Any in the access-list, and classify the traffic in the class-maps as seen in a brief example:

access-list ANY line 10 extended permit ip any any

access-list EXCH-DMZ-INTERNET-OUT line 10 extended permit tcp 10.134.10.0 255.255.254.0 any eq www

access-list EXCH-DMZ-INTERNET-OUT line 15 extended permit tcp 10.134.10.0 255.255.254.0 any eq https

class-map match-all EXCH-DMZ-INTERNET-OUT

  2 match access-list EXCH-DMZ-INTERNET-OUT

policy-map multi-match EXCH-DMZ-OUT

class EXCH-DMZ-INTERNET-OUT

    nat dynamic 1 vlan 1001

interface vlan 756

  description VLAN 744 EXCH DMZ BE

  ip address 10.134.11.253 255.255.255.0

  alias 10.134.11.254 255.255.255.0

  peer ip address 10.134.11.252 255.255.255.0

access-group input ANY

  service-policy input EXCH-DMZ-OUT

Or should we also also the access-list for the access-group in the interface as seen bellow:

access-list EXCH-DMZ-INTERNET-OUT line 10 extended permit tcp 10.134.10.0 255.255.254.0 any eq www

access-list EXCH-DMZ-INTERNET-OUT line 15 extended permit tcp 10.134.10.0 255.255.254.0 any eq https

class-map match-all EXCH-DMZ-INTERNET-OUT

  2 match access-list EXCH-DMZ-INTERNET-OUT

policy-map multi-match EXCH-DMZ-OUT

class EXCH-DMZ-INTERNET-OUT

    nat dynamic 1 vlan 1001

interface vlan 756

  description VLAN 744 EXCH DMZ BE

  ip address 10.134.11.253 255.255.255.0

  alias 10.134.11.254 255.255.255.0

  peer ip address 10.134.11.252 255.255.255.0

  access-group input EXCH-DMZ-INTERNET-OUT

  service-policy input EXCH-DMZ-OUT

Regards,

1 REPLY
Silver

Re: ACE access-list best practice

Hello,

I don't think you'll find a "best practice" for this scenario.  It really just comes down to meeting your needs.  The first example you have a far and away the more commonly seen configuration, as you'll only NAT the traffic matching the EXCH-DMZ-INTERNET-OUT, but all other traffic will be forwarded by the ACE whether it is load balanced or not.  The second way will only allow NAT'd traffic, and deny all others.

Hope this helps,

Sean

1558
Views
0
Helpful
1
Replies