ACL Advice


Hello's
I have been asked to create an ACL that provides access to only certain servers and deny access to all else. I'm worried that to get this working i might drain switch resources.
Here is the layout

I have a stacked series of X460's (3) acting as a collapsed CORE. One of the switches is an SFP switch that remote buildings connect to. This same stack also has an ESX cluster connected to it.
This is an educational institution with about 1000 students. Each of the remote buildings is a separate VLAN/Network and the servers are in a separate VLAN as well. The request is to provide students access to only certain servers, the internet and nothing else. Communication between VLAN's is also to be avoided.
With this criteria what is the best way to deploy an ACL without draining switch resources?
I could deploy an ACL per VLAN/Building which in effect means applying different ACL's to the specific port the remote building is connected to. This comes closest to meeting the criteria but also seems the most expensive in terms of resources.

Thanks for your time,
Sky

4 replies

Userlevel 2
typically I am ACLs to the inbound VLAN interface. why are you worried about resources core? What is your typical CPU? you could set up your ACL applied to one VLAN at a time keepin on the CPU? Typically I don't worry about ACL is going to affect CPU. With Enterasys and policy manager we apply ACLs at the edge. The nice part about that is that the traffic never makes it on to the network in the first place. Not sure if your switches will be supported but it is something to think about in the future. Let me know if you need help with the ACL.
Userlevel 2
Typically I apply ACLs to the inbound VLAN interface. Why are you worried about resources core? What is your typical CPU? You could set up your ACL and apply it to one VLAN at a time and keep an eye on the CPU. Typically I don't worry about ACLs affecting CPU. With Enterasys and policy manager we apply ACLs at the edge. The nice part about that is that the traffic never makes it on to the network in the first place. Not sure if your switches will be supported but it is something to think about in the future. Let me know if you need help with the ACL.
John,
Thanks for your reply.
I'm a new convert to Extreme switching (Not Enterasys where i've used NetSight) and on some switches (3Com, HP) i've run into resource issues and was thus worried.
I'd much rather apply the ACL closer to the source than letting the traffic traverse the network to the Core. However, the edge is a mash-up of different models of HP switches and the Core is my best option.
thanks again,
Userlevel 6
Hello Andrew

You really should not see any impact with the ACLs. The ACLs are done in HW on Ingress to the switch. As the packet comes into the switch we do a simultaneous lookup for forwarding ACLs and QOS.

As John mention there are benefits to doing it at the edge. Both EOS and XOS allows for policies to be attached to Roles on the ingress ports which allows for the security to happen before the packet even enters the network

Let us know if that helps answer your question.

P

Reply