I have got a task of limiting 2-3 VLANs communication to allow only some services like File sharing / Printing / Email / AD connections.
I am not sure if a layer 3 switch with ACL is already good enough for limiting the listed services?
Or I need a real firewall between the networks?
The purpose of limited to the list services is for security reason like hacked / virus pc in a VLAN spreading to all other VLANs.
My recommendation is to have a firewall instead of using switch. Reason being switch is designed to switch/route packet as fast as possible and having access-list is just denying or allowing stateless connection.
With firewall, it is inspecting the traffic statefully, and have other features by default that prevent various attacks, ie: maintaining the TCP session and incomplete session will be dropped by the firewall, various application layer inspections, etc.
I personally feel bringing a firewall in this scenario is the best choice to secure the network. Even though your switch can do the ACL but ACL in firewall will be a good solution.
Switch will do a better switching & firewall will do a better security for your network.
Having ACL in switch will gives a more load to the switch and its stateless.
You can use ACL's is switch for Qos/Line vty restriction/local host restriction. But intresting traffic towards WAN/Internet should be done with the Firewall as a best practice.
Please do rate if the given information helps.
If the rules you want to apply are just few lines <10, go ahead and use the switch. Of course, it's good to have a dedicated FW for this, but if it's just for few lines, don't waste your company's money :-)
You have to understand that the asa blocks traffic by default and you have to allow what is required.
Switches and routers by default allow all and you configure what is to be blocked. So if you have a lot of traffic passing through that por the cpu might get hit.
Asa is the recommended device for that job.
Sent from Cisco Technical Support Android App
Pls rate useful posts.