Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.



Named ACLs vs ACEs

Posts: 51
2076     0

What is the best practice when using ACLs/ACEs?  Is one preferred over the other?  Is there a scenario by which a named ACL is better than an ACE?  Is there a difference in how Infoblox processes each?  Apologize for the multiple questions, just trying to get an understanding and an approach to using and setting ACLs for my zones.

Re: Named ACLs vs ACEs

Posts: 105
2077     0



For me personally i use named acl instead of aces when i manage a kind of big ip and have multiple grid members. for example in my case. Infoblox was used in ISP and they have about 6 infoblox installed. 2 box handling about 70 network segment, 2 box handling about next different 70 segment and the other handling next different subnet for allow recursive. Sometime our customer add about 20 segment/IP to be allowed only for the first 2 box so if i use set aces then i need to add that two new segment each box for set aces right, so when i use named acl, it will be simpler because we only need to add that new segment to that named acl then assign it for the first two box and then it will apply to both box.

Re: Named ACLs vs ACEs

[ Edited ]
Posts: 187
2077     0

I always try and use named ACLs instead of ACEs. ACEs are a nightmare to manage as you end up with IP addresses being defined all over the place.


However, named ACLs require a bit of planning as you can normally only specify one when defining them for "allow-query/transfer/update". What I normally do is set up my named ACLs containing the individual IPs/keys etc then have a "parent" ACL that contains whatever combination of "child" named ACLs I want to define. My goal is to only ever define the IP address of a device once and not have it duplicated. So I might have an ACL that defines the indiviual IP addresses for devices in a DMZ, or AD domain controllers, then define a parent ACL that is actually used in the "allow-query/transfer/update" section and the parent ACL will contain one or more child ACLs that have all the IP address entries. The parent ACL only ever contains other ACLs, it does not have individual IPs. This can get quite complicated because AFAIK you can have multple levels of ACL hierarchy with each layer of ACLs having child ACLs - although I have never gone to this level I normally only have a parent with children, not grandchildren nor great-grandchildren, but I think you could do that if you wanted to.


Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Showing results for 
Search instead for 
Did you mean: 

Recommended for You