Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1100
Views
0
Helpful
5
Replies

Does Cisco have a tool to manage access list?

qi guo
Level 1
Level 1

‎06-18-2018 10:45 AM - edited ‎02-20-2020 09:45 PM

We are an small-scaled manufacture plant. Our network has a layered  structure. Firewall is used between some layers. But for some other layers, we could just use access-list to limit traffic.

Our problem is it is very confusing if we just configure  huge amount of access-lists on a Cisco layer 3 switch. It is difficult to manage the access-lists either.

Does Cisco have a good tool like ASDM  to manage access-lists?Or what kind of firewall can be used to replace a layer 3 switch with a large amount of access-list?

Thanks

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎06-18-2018 11:11 AM

Hi, If you want to manage switch ACL's centrally you could use an SGACL which could be managed via ISE to implement and manage the ACL. However this depends on whether your switches support SGACL enforcement and redesign of the ACLs and understanding of TrustSec.

If you want a L4 firewall then you could use ASA's and manage them via ASDM.

HTH
0 Helpful

qi guo
Level 1
Level 1
In response to Rob Ingram

‎06-18-2018 11:30 AM

Thanks for reply.

Which model of ASA can be similar to L3 switch on access-list functionality?

I mean a L3 switch has many interfaces to connect servers/desktop while we can build access-lists based on vlan or interfaces. 

0 Helpful

Rob Ingram
VIP
VIP
In response to qi guo

‎06-18-2018 11:49 AM

A firewall is never going to have as many interfaces as a switch, it might not be the ideal solution.

Are you filtering just between desktops and servers? Or between desktops in the same VLANs?
0 Helpful

qi guo
Level 1
Level 1
In response to Rob Ingram

‎06-18-2018 12:02 PM

usually, we filter flows between a remote ip and a local one. Some time might they are in the same vlan.

 

Thanks 

0 Helpful

Rob Ingram
VIP
VIP
In response to qi guo

‎06-18-2018 12:10 PM

Ok, if you were just filtering between the desktop vlan and the server vlan you could implement a firewall between the 2 distinct networks, therefore require 2 interfaces on a firewall. As you may want to filter between devices in the same VLAN, the SGACL with ISE solution previously suggested would give you want you need.

Or you could use an NPM solution to push down an ACL to the switches.
0 Helpful
Customers Also Viewed These Support Documents