Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6136
Views
10
Helpful
4
Replies

ACL in layer 3 switch compare to ASA firewall

Roy Lee
Level 1
Level 1

‎07-24-2012 12:33 AM - edited ‎03-11-2019 04:33 PM

Dear All,

I have got a task of limiting 2-3 VLANs communication to allow only some services like File sharing / Printing / Email / AD connections.

I am not sure if a layer 3 switch with ACL is already good enough for limiting the listed services?

Or I need a real firewall between the networks?

The purpose of limited to the list services is for security reason like hacked / virus pc in a VLAN spreading to all other VLANs.

Please advise.

Regards,

Roy

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-24-2012 02:20 AM

My recommendation is to have a firewall instead of using switch. Reason being switch is designed to switch/route packet as fast as possible and having access-list is just denying or allowing stateless connection.

With firewall, it is inspecting the traffic statefully, and have other features by default that prevent various attacks, ie: maintaining the TCP session and incomplete session will be dropped by the firewall, various application layer inspections, etc.

0 Helpful

nkarthikeyan
Level 7
Level 7

‎07-24-2012 03:38 AM

Hi,

I personally feel bringing a firewall in this scenario is the best choice to secure the network. Even though your switch can do the ACL but ACL in firewall will be a good solution.

Switch will do a better switching & firewall will do a better security for your network.

Having ACL in switch will gives a more load to the switch and its stateless.

You can use ACL's is switch for Qos/Line vty restriction/local host restriction. But intresting traffic towards WAN/Internet should be done with the Firewall as a best practice.

Please do rate if the given information helps.

by

Karthik

Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎07-26-2012 07:49 PM

Hi Bro

If the rules you want to apply are just few lines <10, go ahead and use the switch. Of course, it's good to have a dedicated FW for this, but if it's just for few lines, don't waste your company's money :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

Durga Prasad M.S
Level 1
Level 1

‎07-27-2012 09:48 AM

Hello roy,

You have to understand that the asa blocks traffic by default and you have to allow what is required.

Switches and routers by default allow all and you configure what is to be blocked. So if you have a lot of traffic passing through that por the cpu might get hit.

Asa is the recommended device for that job.

Sent from Cisco Technical Support Android App

Pls rate useful posts.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card