ACL Advice

  • 0
  • 1
  • Question
  • Updated 5 years ago
  • Answered
I have been asked to create an ACL that provides access to only certain servers and deny access to all else. I'm worried that to get this working i might drain switch resources.
Here is the layout

I have a stacked series of X460's (3) acting as a collapsed CORE. One of the switches is an SFP switch that remote buildings connect to. This same stack also has an ESX cluster connected to it. 
This is an educational institution with about 1000 students. Each of the remote buildings is a separate VLAN/Network and the servers are in a separate VLAN as well. The request is to provide students access to only certain servers, the internet and nothing else. Communication between VLAN's is also to be avoided.
With this criteria what is the best way to deploy an ACL without draining switch resources?
I could deploy an ACL per VLAN/Building which in effect means applying different ACL's to the specific port the remote building is connected to. This comes closest to meeting the criteria but also seems the most expensive in terms of resources.

Thanks for your time,

Photo of Andrew Hades

Andrew Hades

  • 110 Points 100 badge 2x thumb

Posted 5 years ago

  • 0
  • 1
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Official Response
Hello Andrew

You really should not see any impact with the ACLs.  The ACLs are done in HW on Ingress to the switch.  As the packet comes into the switch we do a simultaneous lookup for forwarding ACLs and QOS.

As John mention there are benefits to doing it at the edge.  Both EOS and XOS allows for policies to be attached to Roles on the ingress ports which allows for the security to happen before the packet even enters the network

Let us know if that helps answer your question.