Firewall Segmentation

dianawinsky · ‎06-15-2025

Is a Cisco firewall capable of microsegmentation? Can it handle east-west traffic and monitor traffic within the same VLAN?

Rob Ingram · ‎06-15-2025

@dianawinsky for east-west segmentation you would use Cisco TrustSec https://community.cisco.com/t5/security-knowledge-base/segmentation-strategy/ta-p/3757424 the Firewall (FTD or ASA) can restrict access for traffic routed between VLANs, not within the same VLAN.

dianawinsky · ‎06-15-2025

How about for monitoring the traffic within the same Vlans? Not just only between vlans

Rob Ingram · ‎06-15-2025

@dianawinsky you can use netflow with Secure Network Analytics (Stealthwatch) to provide information on traffic flow within the VLAN. https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2024/pdf/BRKSEC-3019.pdf

dianawinsky · ‎06-15-2025

Does this imply that a standalone firewall alone cannot provide complete functionality, and integration with additional solutions is necessary for my requirements?

Rob Ingram · ‎06-15-2025

@dianawinsky yes, you need additional solutions to provide east-west segementation within the same VLAN.

The firewall will only see traffic routed through it (between networks/VLANs) in order to provide the segmentation.

MHM Cisco World · ‎06-15-2025

What you meaning east west traffic?

If you talking about l2 traffic in DC then sure NGFW can do transparent for l2 traffic.

You can add IPS inline (i will be more sure about this point)

MHM

dianawinsky · ‎06-15-2025

Yes, in our network, we want to have an internal firewall to handle east-west traffic and is capable of monitoring/inspecting traffic within the same VLANs, aside from inter-VLANs. It isn't for DC, but in our case, we have perimeter fw, core, distribution, and access, and we will add internal fw.