cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
986
Views
0
Helpful
2
Replies

Campus LAN Security

whistleblower14
Level 1
Level 1

Hi,

I´ve design related question about how a state-of-the-art security solution in a campus network should look like!

Assuming that we use a hierachical network where should the Layer3 standard gateway for the clients should be set on? Should I use a Layer3 Switch a router or a Firewall? A considieration would be that traffic between VLANs/IP-Subnets should be restricted, should this take plase on the switchport at the edge via a dACL or PACL or on the Layer3 Switch/Router with a RACL or would it be better to use stateful firewalling on the Firewall? For sure the Firewall needs a respective performance for throughput in that case? I`d also like to understand if it would make sense to use e.g. IPS between the VLANs/IP-Subnets?

thank you all in advance for any kind of help!

2 Replies 2

@whistleblower14 

More than likely you'll want to profile, authenticate and potentially posture check the endpoints using ISE. If you wish to segment the traffic use TrustSec Role-based ACLs, rather than DACL or RACL. TrustSec enforcement will allow you to restrict lateral movement within the network. You could also use AMP for Endpoints install on the computers. Integrate ISE, AMP for Endpoint and the firewall (assuming FTD) together and you get full visiblity of the connected users/endpoints. Any suspicious activity and the endpoint could automatically or manually quarantined, further restricted access to the network.

 

https://community.cisco.com/t5/security-documents/segmentation-strategy/ta-p/3757424

@Rob Ingram

thanks for pointing me to that great documentation!

 

my you‘ve also a suggestion for a network design which is not using components which support TrustSec? regarding using Layer3 switches or Firewalls to segment inter-vlan traffic?

Review Cisco Networking for a $25 gift card