Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
0
Helpful
3
Replies

segmenation

bluesea2010
Level 5
Level 5

‎09-13-2023 07:51 PM

Hi

I have Cisco ISE, and our access layer operates at Layer 3. We have VLANs A, B, and C, and our objective is to prevent traffic from VLANs B and C from reaching VLAN A.

All our access layer switches are configured as Layer 3. Is it possible to implement a Dynamic Access Control List (DACL) for this purpose, or should I consider pushing traffic to an Internal Segmentation Firewall (ISFW)? If the latter is feasible, could you please provide guidance on how to set it up?

Additionally, I'm curious about the use of Virtual Routing and Forwarding (VRF) for achieving this segmentation.

I would greatly appreciate any advice or recommendations you can offer on these topics. Thank you in advance for your assistance

Thanks

0 Helpful
3 Replies 3

M02@rt37
VIP
VIP

‎09-13-2023 09:58 PM

Hello @bluesea2010,

I'm not going to talk about DACL, I'm not so aware of that.

As concerned ISFW, it's a more advanced solution that provides comprehensive security and inspection of traffic between segments. This option offers greater security and control over the traffic between segments...but requires additional hardware or virtual appliances.

If you already have experience with VRF and a compelling reason to use them for segmentation, it's a viable option, but it may introduce complexity...assign each VLAN to a separate VRF effectively isolating their routing tables, but this approach can be challenging to manage and maintain.

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

greenk3
Level 1
Level 1

‎09-13-2023 10:22 PM

If it's straight up yes/no filtering ACL should handle that easily.  https://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=4

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎09-14-2023 07:29 AM

"Additionally, I'm curious about the use of Virtual Routing and Forwarding (VRF) for achieving this segmentation."

It's possible you could segment using VRF.  Unlike an ACL based approach, separate VRFs might be a very "clean" way to segment.  Whether VRF would be a good approach depends on your near and long term network needs and, of course, device support.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card