01-16-2013 04:48 AM - edited 03-11-2019 05:47 PM
Hi all,
We have this case :
A CISCO 3750-X stack with several VLANs and many ACLs applied to the virtual interfaces. Intervlan routing is on. Connected to this stack are VMware hosts and with about 500 VMs.
We started using the ACLs to allow connectivity between VLANs to specific hosts and it has grown to thousands of lines. I personally do not think this is good for the switch and believe the switch was not intended to be used for that security feature.
The simplified environment looks like this:
INTERNET ROUTER =====EXTERNAL FIREWALL ======CORE ROUTER=====3750-X SWITCH STACK
QUESTIONS:
- Does it make it sense to add an "internal firewall" between the CORE ROUTER AND THE 3750-X SWITCH STACK ?
- Do you recommend any other way?
- Any recommended CISCO resource/white paper to read about best practice?
Thanks
John
01-16-2013 05:22 AM
Hi,
I dont see a problem with adding another Firewall in the network. Naturally since you are already doing access control with ACLs on the L3 Switch it would be more natural to have a firewall handling the access control.
Personally I have only added an additional firewall only in one big customer environment and its been working well and has enabled a lot easier management and troubleshooting of the network that it now separates from other local network segments.
The above change also migrated L3 switch ACLs to an ASA Failover pair and has made the setup alot easier to manage
Personally I think you will have the following benefits if adding firewall
Disadvantages could possibly include
What kind of router are we talking about in your situation? Is it actually some core device which provides connectivity to hosts or is it a connection point for access switches? Are you also separating a Server segment and LAN user segment from eachother with the possible new firewall?
I will maybe need to look into the possible helping material later if someone doesnt link earlier. Currently I cant think of any specific document related to this kind of change.
Hopefully the above has been of some help It surely isnt all that you are looking for. Maybe someone will add their views.
- Jouni
01-16-2013 06:03 AM
Thanks Jouni for your insight
I am not sure I understand your questions but here are my best answers.
- Connected to the switch are VMware hosts with about 500 Vms, Since intervlan routing is on, all routing takes place locally in the switch
- There are access switches currently connected to this Core switch stack. Trafffic between servers and user are currently separated by VLANs and access managed by those ACLs
Another concern of mine is that if I add a firewall, connectivity would slow down. All the routing between VLANS is now taking place locally in the Stack and with this change, all traffic would flow thru the trunk between switch and firewall
I wish there would be a white paper explaining this type of configuration
Thanks
John
01-16-2013 08:05 AM
Hi,
Yes, the firewall performance might be an issue.
There was a post about this recently. The user wanted to do the same change as you.
I think there arent that many options to go for if you truly want to use firewall to create the ACLs for Vlan traffic in your LAN
Heres also some things for you to consider
If I have time and energy I could try to find some document for you but I cant really guarantee anything as I havent had to rely on any documents in these cases other than refreshing information on some configurations commands and device behaviour.
Just incase, heres links to some datasheets of the ASA5500 series and ASA5500-X series
ASA 5500 series (including the operator level devices 5585-X)
ASA 5500 series (Newer ASA series)
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
- Jouni
01-16-2013 09:52 AM
Jouni,
Thanks for your detailed response.
Assuming that performance is an issue and I leave them on the switch. Isn't a risk to leave your packets flowing without a stateful inspection ?
Easier management of access list and security are the main drivers of this possible change.
I would think this is a pretty common scenario for mid-size companies, especially nowdays when users are so mobile. All of our users have laptops and they have antivirus/antimalware running on them but I do not quite trust then when they access our servers.
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide