Showing results for 
Search instead for 
Did you mean: 

ACL in layer 3 switch compare to ASA firewall

Roy Lee

Dear All,

I have got a task of limiting 2-3 VLANs communication to allow only some services like File sharing / Printing / Email / AD connections.

I am not sure if a layer 3 switch with ACL is already good enough for limiting the listed services?

Or I need a real firewall between the networks?

The purpose of limited to the list services is for security reason like hacked / virus pc in a VLAN spreading to all other VLANs.

Please advise.



4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

My recommendation is to have a firewall instead of using switch. Reason being switch is designed to switch/route packet as fast as possible and having access-list is just denying or allowing stateless connection.

With firewall, it is inspecting the traffic statefully, and have other features by default that prevent various attacks, ie: maintaining the TCP session and incomplete session will be dropped by the firewall, various application layer inspections, etc.

Rising star
Rising star


I personally feel bringing a firewall in this scenario is the best choice to secure the network. Even though your switch can do the ACL but ACL in firewall will be a good solution.

Switch will do a better switching & firewall will do a better security for your network.

Having ACL in switch will gives a more load to the switch and its stateless.

You can use ACL's is switch for Qos/Line vty restriction/local host restriction. But intresting traffic towards WAN/Internet should be done with the Firewall as a best practice.

Please do rate if the given information helps.



Hi Bro

If the rules you want to apply are just few lines <10, go ahead and use the switch. Of course, it's good to have a dedicated FW for this, but if it's just for few lines, don't waste your company's money :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

Durga Prasad M.S

Hello roy,

You have to understand that the asa blocks traffic by default and you have to allow what is required.

Switches and routers by default allow all and you configure what is to be blocked. So if you have a lot of traffic passing through that por the cpu might get hit.

Asa is the recommended device for that job.

Sent from Cisco Technical Support Android App

Pls rate useful posts.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers