09-13-2023 07:51 PM
Hi
I have Cisco ISE, and our access layer operates at Layer 3. We have VLANs A, B, and C, and our objective is to prevent traffic from VLANs B and C from reaching VLAN A.
All our access layer switches are configured as Layer 3. Is it possible to implement a Dynamic Access Control List (DACL) for this purpose, or should I consider pushing traffic to an Internal Segmentation Firewall (ISFW)? If the latter is feasible, could you please provide guidance on how to set it up?
Additionally, I'm curious about the use of Virtual Routing and Forwarding (VRF) for achieving this segmentation.
I would greatly appreciate any advice or recommendations you can offer on these topics. Thank you in advance for your assistance
Thanks
09-13-2023 09:58 PM
Hello @bluesea2010,
I'm not going to talk about DACL, I'm not so aware of that.
As concerned ISFW, it's a more advanced solution that provides comprehensive security and inspection of traffic between segments. This option offers greater security and control over the traffic between segments...but requires additional hardware or virtual appliances.
If you already have experience with VRF and a compelling reason to use them for segmentation, it's a viable option, but it may introduce complexity...assign each VLAN to a separate VRF effectively isolating their routing tables, but this approach can be challenging to manage and maintain.
09-13-2023 10:22 PM
If it's straight up yes/no filtering ACL should handle that easily. https://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=4
09-14-2023 07:29 AM
"Additionally, I'm curious about the use of Virtual Routing and Forwarding (VRF) for achieving this segmentation."
It's possible you could segment using VRF. Unlike an ACL based approach, separate VRFs might be a very "clean" way to segment. Whether VRF would be a good approach depends on your near and long term network needs and, of course, device support.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide