https://community.cisco.com/t5/network-security/acl-in-layer-3-switch-compare-to-asa-firewall/m-p/1950671#M401696 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I personally feel bringing a firewall in this scenario is the best choice to secure the network. Even though your switch can do the ACL but ACL in firewall will be a good solution. </P><P></P><P>Switch will do a better switching &amp; firewall will do a better security for your network. </P><P></P><P>Having ACL in switch will gives a more load to the switch and its stateless.</P><P></P><P>You can use ACL's is switch for Qos/Line vty restriction/local host restriction. But intresting traffic towards WAN/Internet should be done with the Firewall as a best practice.</P><P></P><P></P><P>Please do rate if the given information helps.</P><P></P><P>by</P><P></P><P>Karthik</P></BODY></HTML> Tue, 24 Jul 2012 10:38:59 GMT nkarthikeyan 2012-07-24T10:38:59Z https://community.cisco.com/t5/network-security/acl-in-layer-3-switch-compare-to-asa-firewall/m-p/1950669#M401694 <P>Dear All,</P><P></P><P>I have got a task of limiting 2-3 VLANs communication to allow only some services like File sharing / Printing / Email / AD connections.</P><P></P><P>I am not sure if a layer 3 switch with ACL is already good enough for limiting the listed services?</P><P></P><P>Or I need a real firewall between the networks?</P><P></P><P>The purpose of limited to the list services is for security reason like hacked / virus pc in a VLAN spreading to all other VLANs.</P><P></P><P>Please advise.</P><P></P><P>Regards,</P><P>Roy</P> Mon, 11 Mar 2019 23:33:59 GMT https://community.cisco.com/t5/network-security/acl-in-layer-3-switch-compare-to-asa-firewall/m-p/1950669#M401694 Roy Lee 2019-03-11T23:33:59Z https://community.cisco.com/t5/network-security/acl-in-layer-3-switch-compare-to-asa-firewall/m-p/1950670#M401695 <HTML><HEAD></HEAD><BODY><P>My recommendation is to have a firewall instead of using switch. Reason being switch is designed to switch/route packet as fast as possible and having access-list is just denying or allowing stateless connection. </P><P></P><P>With firewall, it is inspecting the traffic statefully, and have other features by default that prevent various attacks, ie: maintaining the TCP session and incomplete session will be dropped by the firewall, various application layer inspections, etc.</P></BODY></HTML> Tue, 24 Jul 2012 09:20:05 GMT https://community.cisco.com/t5/network-security/acl-in-layer-3-switch-compare-to-asa-firewall/m-p/1950670#M401695 Jennifer Halim 2012-07-24T09:20:05Z https://community.cisco.com/t5/network-security/acl-in-layer-3-switch-compare-to-asa-firewall/m-p/1950671#M401696 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I personally feel bringing a firewall in this scenario is the best choice to secure the network. Even though your switch can do the ACL but ACL in firewall will be a good solution. </P><P></P><P>Switch will do a better switching &amp; firewall will do a better security for your network. </P><P></P><P>Having ACL in switch will gives a more load to the switch and its stateless.</P><P></P><P>You can use ACL's is switch for Qos/Line vty restriction/local host restriction. But intresting traffic towards WAN/Internet should be done with the Firewall as a best practice.</P><P></P><P></P><P>Please do rate if the given information helps.</P><P></P><P>by</P><P></P><P>Karthik</P></BODY></HTML> Tue, 24 Jul 2012 10:38:59 GMT https://community.cisco.com/t5/network-security/acl-in-layer-3-switch-compare-to-asa-firewall/m-p/1950671#M401696 nkarthikeyan 2012-07-24T10:38:59Z https://community.cisco.com/t5/network-security/acl-in-layer-3-switch-compare-to-asa-firewall/m-p/1950672#M401699 <HTML><HEAD></HEAD><BODY><P>Hi Bro</P><P>If the rules you want to apply are just few lines &lt;10, go ahead and use the switch. Of course, it's good to have a dedicated FW for this, but if it's just for few lines, don't waste your company's money <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Fri, 27 Jul 2012 02:49:44 GMT https://community.cisco.com/t5/network-security/acl-in-layer-3-switch-compare-to-asa-firewall/m-p/1950672#M401699 Ramraj Sivagnanam Sivajanam 2012-07-27T02:49:44Z https://community.cisco.com/t5/network-security/acl-in-layer-3-switch-compare-to-asa-firewall/m-p/1950673#M401703 <HTML><HEAD></HEAD><BODY><P>Hello roy,</P><P>You have to understand that the asa blocks traffic by default and you have to allow what is required.</P><P>Switches and routers by default allow all and you configure what is to be blocked. So if you have a lot of traffic passing through that por the cpu might get hit.</P><P>Asa is the recommended device for that job.</P><P></P><P>Sent from Cisco Technical Support Android App</P><P>Pls rate useful posts.</P></BODY></HTML> Fri, 27 Jul 2012 16:48:03 GMT https://community.cisco.com/t5/network-security/acl-in-layer-3-switch-compare-to-asa-firewall/m-p/1950673#M401703 Durga Prasad M.S 2012-07-27T16:48:03Z