I am trunking between a Cat 6006 (Fast Ether) to a 3662 using 802.1Q and have subinterfaces configured for each VLAN on the 3662. Since the subinterfaces have its own subnet, I will need an access-list line for each subnet.
Where is the most efficient and effective application of the access-list? Is it on the main interface or subinterfaces?
Apply access-list to the subinterface, and have it restrict traffic as it leaves the subnet. From the router's point of view, this would be on INbound traffic from the subnet to the router.
To be redundantly secure, you can also restrict traffic as it enters a subnet; this would be traffic exiting OUTbound from the router's subinterface. But you have to take into account all the other access-lists you're applying to INbound traffic, reverse the source and destination IP addresses, and input them all in the OUTbound access-list. Do this for each subinterface. Lots of extra work, but it can still protect the other subnets if for some reason you have to take the INbound access-list off of one of the subinterfaces temporarily.
I usually just do the access-lists on traffic INbound to the router. Leaves the router with more CPU time to do things, and it's simpler to maintain. If I have to do access-list maintenance, it's off a subinterface only a short period of time.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...