https://community.cisco.com/t5/network-security/firewall-to-replace-vlans-on-a-switch/m-p/5282672#M1120640 <P>Friend Firepower not give you as much as SW, firepower have little number of port,&nbsp;</P> <P>But if you have few device then sure you can connect all device to firepower and use BDI between port.&nbsp;</P> <P>This make traffic between device allow and can also use FW to access internet.&nbsp;</P> <P>MHM</P> Fri, 18 Apr 2025 09:58:14 GMT MHM Cisco World 2025-04-18T09:58:14Z https://community.cisco.com/t5/network-security/firewall-to-replace-vlans-on-a-switch/m-p/5281531#M1120610 <P>High Level Overview of my network: Cisco 9400 at campus core, 9300s at four smaller branch schools. OSPF routing to our ISP who routes internal traffic directly to the correct building and external traffic to internet. All of these links are working fine.</P><P>Each location switch has 5-10 VLANs defined with inter-vlan routing enabled and ACL's controlling how traffic flows between them. This is also working fine but I am tired of command-line ACLs that are a PITA to construct, maintain, adjust and log.</P><P>Here is my wish: Can I get a Cisco Firewall at each location to make the VLANS actually live on the firewall instead of the switches themselves, then manage the ACLs on the firewall. This way they will be easier to manage and will be stateful.</P><P>If so, what would be the smallest (cheapest) model that can do this...as a test in my smallest school with the least amount of traffic...so that i can learn how to configure and maintain before trying to get a project budgeted for this functionality at all locations.</P><P>Thanks in advance for any recommendations.</P> Tue, 15 Apr 2025 12:04:38 GMT https://community.cisco.com/t5/network-security/firewall-to-replace-vlans-on-a-switch/m-p/5281531#M1120610 darinheilman 2025-04-15T12:04:38Z https://community.cisco.com/t5/network-security/firewall-to-replace-vlans-on-a-switch/m-p/5281557#M1120611 <P>There are several factors that can impact the appliance model that you select:</P> <UL> <LI>Throughput requirements</LI> <LI>Threat features that will be used (IPS, Malware, URL Filtering)</LI> <LI>Size of the Access Control Policy (ACP). More specifically, the Number of Access Control Entries (ACEs)</LI> </UL> <P>If the above are minimal, then even the <A href="https://www.cisco.com/c/en/us/products/collateral/security/firepower-1000-series/datasheet-c78-742469.html" target="_self">1010</A> will be sufficient as that model supports up-to 60 VLANs/Subinterfaces. However, that appliance has been out for a while so it is probably better to go with the newer, <A href="https://www.cisco.com/c/en/us/products/collateral/security/firewalls/secure-firewall-1200-series-ds.html" target="_self">1200</A> series.&nbsp;</P> <DIV id="bodyDisplay_3" class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"> <DIV class="lia-message-body-content"> <P><EM>Thank you for rating helpful posts!</EM></P> </DIV> </DIV> Tue, 15 Apr 2025 13:09:19 GMT https://community.cisco.com/t5/network-security/firewall-to-replace-vlans-on-a-switch/m-p/5281557#M1120611 nspasov 2025-04-15T13:09:19Z https://community.cisco.com/t5/network-security/firewall-to-replace-vlans-on-a-switch/m-p/5281562#M1120613 <P>as a test device in my smallest school....yeah, just minimal.&nbsp; The only thing i want to initially use is ACL constructions and monitoring.</P><P>&nbsp;</P> Tue, 15 Apr 2025 13:14:18 GMT https://community.cisco.com/t5/network-security/firewall-to-replace-vlans-on-a-switch/m-p/5281562#M1120613 darinheilman 2025-04-15T13:14:18Z https://community.cisco.com/t5/network-security/firewall-to-replace-vlans-on-a-switch/m-p/5282672#M1120640 <P>Friend Firepower not give you as much as SW, firepower have little number of port,&nbsp;</P> <P>But if you have few device then sure you can connect all device to firepower and use BDI between port.&nbsp;</P> <P>This make traffic between device allow and can also use FW to access internet.&nbsp;</P> <P>MHM</P> Fri, 18 Apr 2025 09:58:14 GMT https://community.cisco.com/t5/network-security/firewall-to-replace-vlans-on-a-switch/m-p/5282672#M1120640 MHM Cisco World 2025-04-18T09:58:14Z