Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2180
Views
0
Helpful
4
Replies

ACL and Firewall Rules

Go to solution
Senbonzakura
Level 1
Level 1

‎11-08-2023 08:31 AM - edited ‎11-08-2023 08:42 AM

In terms of security, what is the best way to help harden a network regarding Firewall Policies and ACLs on switches?

For example, lets say I create a rule on the firewall to block 192.168.1.0/24 from talking to 192.168.2.0/24. Should I also create an ACL with that same rule or would be it redundant at that point? I know unlike a Firewall, an ACL wont inspect the packet like a firewall does and will just drop it.

I was thinking Layer 2 and Layer 3.

Any insight in the best way to go about it.

 

Thanks again!

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP

‎11-08-2023 08:44 AM

Hello @Senbonzakura,

When it comes to hardening a network and ensuring security through Firewall Policies and ACLs on switches, it's a good practice to consider both L3 and L2 security. These two mechanisms serve different purposes, so using them in conjunction can provide a comprehensive defense. 

Firewalls are designed to inspect and control traffic based on IP addresses, ports, and protocols. When you create a firewall rule to block communication between two IP subnets, like 192.168.1.0/24 and 192.168.2.0/24, it provides a strong layer of security at the network level.

ACL can be applied at both L2 and L3. At Layer 3, they are similar to firewall rules, controlling traffic based on IP addresses. At Layer 2, ACLs can be used to filter traffic based on MAC addresses, which is often more granular and specific than IP-based rules.

Using both firewall rules and ACLs to enforce the same policy can be seen as a defense-in-depth strategy. While it might seem redundant in some cases, it adds an extra layer of security, making it more difficult for an attacker to bypass controls. However, it can also make network management more complex.

ACLs at L2 can be more specific than L3 firewall rules. For instance, you can block specific devices by MAC address, which is effective in preventing unauthorized access within the same subnet. When used together, firewall rules and ACLs can complement each other. Firewalls provide higher-level control, while ACLs at Layer 2 offer finer-grained control.

Note that aCL at Layer 2 can consume more resources on your switches and may impact performance if not properly configured.

The best approach depends on your specific security requirements, network architecture, and the trade-off between security and complexity.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
M02@rt37
VIP
VIP

‎11-08-2023 08:44 AM

Hello @Senbonzakura,

When it comes to hardening a network and ensuring security through Firewall Policies and ACLs on switches, it's a good practice to consider both L3 and L2 security. These two mechanisms serve different purposes, so using them in conjunction can provide a comprehensive defense. 

Firewalls are designed to inspect and control traffic based on IP addresses, ports, and protocols. When you create a firewall rule to block communication between two IP subnets, like 192.168.1.0/24 and 192.168.2.0/24, it provides a strong layer of security at the network level.

ACL can be applied at both L2 and L3. At Layer 3, they are similar to firewall rules, controlling traffic based on IP addresses. At Layer 2, ACLs can be used to filter traffic based on MAC addresses, which is often more granular and specific than IP-based rules.

Using both firewall rules and ACLs to enforce the same policy can be seen as a defense-in-depth strategy. While it might seem redundant in some cases, it adds an extra layer of security, making it more difficult for an attacker to bypass controls. However, it can also make network management more complex.

ACLs at L2 can be more specific than L3 firewall rules. For instance, you can block specific devices by MAC address, which is effective in preventing unauthorized access within the same subnet. When used together, firewall rules and ACLs can complement each other. Firewalls provide higher-level control, while ACLs at Layer 2 offer finer-grained control.

Note that aCL at Layer 2 can consume more resources on your switches and may impact performance if not properly configured.

The best approach depends on your specific security requirements, network architecture, and the trade-off between security and complexity.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
Senbonzakura
Level 1
Level 1
In response to M02@rt37

‎11-08-2023 08:50 AM

That makes a lot of sense!

There are some segments that I don't want each other to talk no matter what and was considering not only putting in firewall rules but also on these Meraki switches, adding the same rule for all types of traffic to be an ACL to do the same thing. 

I greatly appreciate this! Just wanted to make sure I was on the right track.

 

0 Helpful

Go to solution
M02@rt37
VIP
VIP
In response to Senbonzakura

‎11-08-2023 08:58 AM

@Senbonzakura 

You're right. When you have network segments that should not communicate with each other under any circumstances, using both firewall rules and ACLs on your Meraki switches is a wise strategy. This dual-layer approach enhances your network's security and ensures that the desired isolation is maintained.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎11-08-2023 09:02 AM

Harding term is use to secure router or SW itself not to filter traffic pass through.

If yoh want to use acl instead of FW that so hard use FW in network is easy and accurate.

Thanks A Lot
MHM

0 Helpful
Customers Also Viewed These Support Documents