Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
709
Views
0
Helpful
4
Replies

VLANs ACLs in a 3750 switch stack

johnramz
Level 1
Level 1

‎01-16-2013 04:48 AM - edited ‎03-11-2019 05:47 PM

Hi all,


We have this case :


A CISCO 3750-X stack with several VLANs  and many ACLs applied to the virtual interfaces. Intervlan routing is on. Connected to this stack are VMware hosts and with about 500 VMs.


We started using the ACLs to allow connectivity between VLANs to specific hosts and it has grown to thousands of lines. I personally do not think this is good for the switch and believe the switch was not intended to be used for that security feature.


The simplified environment looks like this:



INTERNET ROUTER =====EXTERNAL FIREWALL ======CORE ROUTER=====3750-X SWITCH STACK



QUESTIONS:


- Does it make it sense to add an "internal firewall" between the CORE ROUTER AND THE 3750-X SWITCH STACK ?

- Do you recommend any other way?

- Any recommended CISCO resource/white paper to read about best practice?


Thanks


John

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎01-16-2013 05:22 AM

Hi,

I dont see a problem with adding another Firewall in the network. Naturally since you are already doing access control with ACLs on the L3 Switch it would be more natural to have a firewall handling the access control.

Personally I have only added an additional firewall only in one big customer environment and its been working well and has enabled a lot easier management and troubleshooting of the network that it now separates from other local network segments.

The above change also migrated L3 switch ACLs to an ASA Failover pair and has made the setup alot easier to manage

Personally I think you will have the following benefits if adding firewall

  • Easier access-rule policy management as the firewall works statefully compared to the L3 switch more or less stateless operation
  • Easier access-rule management with the help of "objects" and "object-groups" for grouping services and networks/hosts
  • A clearer picture of the network traffic between the different segments which helps with troubleshooting
    • logging
    • captures
  • Alot of other possibilities/advantages depending on what you are looking for.
    • VPN?
    • IPS?

Disadvantages could possibly include

  • Additional point of failure in the network
    • Failover pair naturally minimizes the risks
  • Even though makes access rules simpler to manage, also introduces more possibilities to "break" and environment with missconfigurations.
  • Performance issues with inter Vlan traffic if the new firewall model isnt up to the task (ASA at Glance documents are a good place to check which model would best suite the setup)

What kind of router are we talking about in your situation? Is it actually some core device which provides connectivity to hosts or is it a connection point for access switches? Are you also separating a Server segment and LAN user segment from eachother with the possible new firewall?

I will maybe need to look into the possible helping material later if someone doesnt link earlier. Currently I cant think of any specific document related to this kind of change.

Hopefully the above has been of some help It surely isnt all that you are looking for. Maybe someone will add their views.

- Jouni

0 Helpful

johnramz
Level 1
Level 1
In response to Jouni Forss

‎01-16-2013 06:03 AM

Thanks Jouni for your insight

I am not sure I understand your questions but here are my best answers.

- Connected to the switch are VMware hosts with about 500 Vms, Since intervlan routing is on, all routing takes place locally in the switch

-  There are access switches currently connected to this Core switch stack. Trafffic between servers and user are currently separated by VLANs and access managed by those ACLs

Another concern of mine is that if I add a firewall, connectivity would slow down. All the routing between VLANS is now taking place locally in the Stack and with this change, all traffic would flow thru the trunk between switch and firewall

I wish there would be a white paper explaining this type of configuration

Thanks

John

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to johnramz

‎01-16-2013 08:05 AM

Hi,

Yes, the firewall performance might be an issue.

There was a post about this recently. The user wanted to do the same change as you.

I think there arent that many options to go for if you truly want to use firewall to create the ACLs for Vlan traffic in your LAN

Heres also some things for you to consider

  • Bundle all the ASA interfaces to a Port-channel to the Stack
    • Starting from software level 8.4(1) you can configure a group of interfaces as Port-channel. Usually ASAs have 4 interfaces you could use for this GEC or FEC. I think the newer ASA 5500-X series have abit different port setup
    • There is also an expansion module for ASA5510-55xx models that brings 4 more Gigabit interfaces to the ASA. Though this doesnt necesarily help if the total throughput of the ASA isnt enough.
    • In general it seems that the new ASA5500-X series offer alot of more performance for this type of setup
  • Select only the most important/critical Vlans and move their gateway to the ASA firewall. Leave the rest of the Vlans to the Stack and configure a Link network between Stack and ASA and handle that for routing traffic between the Vlans/subnets.
    • Might not be an ideal situation but something to think about if you dont want the ASA to handle all the traffic between these Vlans.
    • Not all Vlans probably even have traffic between them?

If I have time and energy I could try to find some document for you but I cant really guarantee anything as I havent had to rely on any documents in these cases other than refreshing information on some configurations commands and device behaviour.

Just incase, heres links to some datasheets of the ASA5500 series and ASA5500-X series

ASA 5500 series (including the operator level devices 5585-X)

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf

ASA 5500 series (Newer ASA series)

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf

- Jouni

0 Helpful

johnramz
Level 1
Level 1
In response to Jouni Forss

‎01-16-2013 09:52 AM

Jouni,

Thanks for your detailed response.

Assuming that performance is an issue and I leave them on the switch. Isn't  a risk to leave your packets flowing without a stateful inspection ?

Easier management of access list and security are the main drivers of this possible change.

I would think this is a pretty common scenario for mid-size companies, especially nowdays when users are so mobile. All of our users have laptops and they have antivirus/antimalware running on them but I do not quite trust then when they access our servers.

John

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card