Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL consolidation

Hi,

I'm trying to figure out the best way to consolidate the long ACL I created, so that my 3560G won't have to spend alot of time processing it. It's purpose is to limit the access for certain users after they use VPN to connect to work. The picture below shows entiries in the ACL, I used Network Assistent to do this.The ACL is attached to the inbound interface (C3560G) for the outbound connection from VPN server, I hope that makes sense.

Thanks!

Capture.JPG

  • Security Management
Everyone's tags (2)
3 REPLIES
VIP Purple

ACL consolidation

Unless you run out of TCAM-ressources, the switch will not process the optimized ACL faster then it is now.

But why don't you configure the access-control directly on your VPN-Gateway? That makes much more sense.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

ACL consolidation

Well, I use RRAS on windows 2008r2 for VPN and I don't see option there for this kind of access control.

VIP Purple

ACL consolidation

Ok, if your RRAS doesn't suppport access-control, then you have to use your switch for that. As I said, you won't get any performance improvements in optimization. My advice would be to group your ACL in a way that is as much readable as possible. With that it's not that likely to make configuration-mistakes as it is the case with optimized ACLs on routers where an often heard advice is, that the entries that match often have to be moved to the top.

An optimization that is possible and quite useful is match your users to ip subnets on the RRAS based on function. If for example all restricted users get an IP in the 192.168.8.128/28 range (which is 192.168.8.128 to 192.168.8.143) then you only need one line each for your permits and denys on the switch. And you don't have to touch the switch when a new user is assigned the restricted role. In the same way you configure a range for unrestricted users.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
718
Views
0
Helpful
3
Replies
This widget could not be displayed.