Hello
I've been lurking here for a while, learning tons of stuff - thanks to all the experts staying active :)
I have been pondering this challenge for a while, and I can't seem to find the right approach (at least I'm not sure).
I'm in the process of changing this network from flat to segmented. We're using the traditional hierarchical network design;Core -> Distribution -> Access layers, but I'm in doubt how to control access between segments and servers.
We use the second octet in 10.0.0.0/8 space for host functions and third for buildings.. i.e. 10.2.1.0/24 would be users in building 1, 10.3.5.0/24 would be printers in building 5.
For now, I've been applying ACL's for each segment, denying access to other segments that shouldn't communicate..
ACL example:
ip access-list extended ACL_USERS_1_INremark deny to other user segmentsdeny ip any 10.2.0.0 0.0.255.255remark deny to printer segmentsdeny ip any 10.3.0.0 0.0.255.255remark allow all otherspermit ip any any
Im thinking about actually maintaining these ACL's in the future - it's gonna be a nightmare! especially since there are some exceptions to the rules, so I would think I have to create a unique ACL for each segment, unless I put all exceptions into the same ACL and be accuate about specific source/destinations - this would create a very long ACL (probably ~~1000-1500 entries) for all segments though - would that hurt performance noticeably?.
Is this the right approach? how are you guys doing this? (link to ressources is appreciated!)
I've done a couple python scripts in the past, so I could write a script for maintaining these ACL's.. I would just like to know if I'm doing it right before I go all the way :)
Any inputs on controlling access to servers? I've been thinking whether or not to have a firewall as distribution device in the server block (hierarchical model)?
I apologize if my question is low level :)
PS. We're an all-Cisco shop.
No comments:
Post a Comment