Friday, November 22, 2019

ACLs between Vlans - how granular do you get?

Not too long ago we began using dot1x authentication and dynamic vlan assignment on switch interfaces. Depending on who you are, you get assigned a different vlan and subnet. There are a number of different types of user, and a number of different vlans. Once authenticated, a vlan is assigned to the interface as well as a dacl (permit all).

The acls I have been working on are applied at the vlan interface.

The acls are getting pretty crazy. I'm ok with it from a management point (but god help the guy who gets handed this task later), I have written some scripts that produce and apply the acls to each site but I wonder if I am getting too granular. I allow specific access to print servers, and only on the ports necessary. I allow specific traffic for active directory functions, dhcp, etc. You need smtp? you get 587. You need access to the security camera system? I will enable a temporary permit statement with "log" on the end so I can analyze logs for a baseline of what is needed for permit statements to be permanently added.

Is this normal? Anybody have any "best practice" advice on this?



No comments:

Post a Comment