Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
365
Views
1
Helpful
3
Replies

Firewall to replace VLANs on a switch?

darinheilman
Level 1
Level 1

‎04-15-2025 05:04 AM

High Level Overview of my network: Cisco 9400 at campus core, 9300s at four smaller branch schools. OSPF routing to our ISP who routes internal traffic directly to the correct building and external traffic to internet. All of these links are working fine.

Each location switch has 5-10 VLANs defined with inter-vlan routing enabled and ACL's controlling how traffic flows between them. This is also working fine but I am tired of command-line ACLs that are a PITA to construct, maintain, adjust and log.

Here is my wish: Can I get a Cisco Firewall at each location to make the VLANS actually live on the firewall instead of the switches themselves, then manage the ACLs on the firewall. This way they will be easier to manage and will be stateful.

If so, what would be the smallest (cheapest) model that can do this...as a test in my smallest school with the least amount of traffic...so that i can learn how to configure and maintain before trying to get a project budgeted for this functionality at all locations.

Thanks in advance for any recommendations.

Labels:
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎04-15-2025 06:09 AM

There are several factors that can impact the appliance model that you select:

  • Throughput requirements
  • Threat features that will be used (IPS, Malware, URL Filtering)
  • Size of the Access Control Policy (ACP). More specifically, the Number of Access Control Entries (ACEs)

If the above are minimal, then even the 1010 will be sufficient as that model supports up-to 60 VLANs/Subinterfaces. However, that appliance has been out for a while so it is probably better to go with the newer, 1200 series. 

Thank you for rating helpful posts!

Thank you for rating helpful posts!

darinheilman
Level 1
Level 1
In response to nspasov

‎04-15-2025 06:14 AM

as a test device in my smallest school....yeah, just minimal.  The only thing i want to initially use is ACL constructions and monitoring.

 

0 Helpful

MHM Cisco World
VIP
VIP

‎04-18-2025 02:58 AM

Friend Firepower not give you as much as SW, firepower have little number of port, 

But if you have few device then sure you can connect all device to firepower and use BDI between port. 

This make traffic between device allow and can also use FW to access internet. 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card