Hi,

Thanks for your fast reply. In my own business I need to configure VLANs

with IP subnets, because I usually simulate and test my customers networks

before implementing them with real VLANs in use. Also visitors, servers,

wlans, intranet, www servers and switch/routers needs to have different

VLAN, but there is needed some access between them from each other. Just

no access at all or full IP access is not an option. And also the basic

reasons why VLANs are good thing, security, limiting broadcasts, IP/VLAN

subnetting etc. And why to use VLANs if there is no need to restrict

access between them in private network?

In my case, if sa520 will not be capable of restricting access between

VLANs I have to buy yet an another device for doing that. Not very

costeffective way and it will increase one more single point of failure

device to my network. If sa520 could do that, it would be just right

device to have two of them, one in use and one standby for high usability.

I was in belief that of course device with support for 16 VLANs brings IP

subnetting per VLAN with firewall full possibilities to use, allow/deny

access between them and route them freely. In my opinion, 802.1q switchs

and firewall/router is the most effective way to build network for small

and medium sized business with great possibilities to scale and change it.

Let me know if there is going to be future release with this feature.

Otherwise I have to find other device. Thanks!

Regards, Matti

Kuminauha,

>

A new message was posted in the thread "Restrict access between VLAN?":

>

https://www.myciscocommunity.com/message/44168#44168

>

Author : biraja

Profile : https://www.myciscocommunity.com/people/biraja

>

Message:

Hi Matti,

This is definitely an important feature to have on SA500.

WIll follow up on this and get back to you more about the possibility and the timeline of the availability.

Thanks,

Biraja

Hi,

Actually, the whole idea of firewall is to control L3/L4 traffic between

IP subnets with or without VLAN. And if SA520 is called firewall, then

there should be this feature, am I right?

Regards, Matti

Kuminauha,

>

A new message was posted in the thread "Restrict access between VLAN?":

>

https://www.myciscocommunity.com/message/44355#44355

>

Author : biraja

Profile : https://www.myciscocommunity.com/people/biraja

>

Message:

Hi Matti,

Common use-cases are WAN<->DMZ, WAN<->LAN, LAN<->DMZ, so SA500 supports only  those so far.

I've proposed the Marketing and Eengineering team to support firewall between VLANs on SA500.

Will get back to you with more info shortly.

Thanks,

Biraja

Hi,

I just got Sonicwall offer and this is what they say:

The VLANs will be seen as “ordinary” interfaces by the SNWL so routing and firewall rules between them will work. Eg. model NSA 240 is for 10 VLAN.

Regards, Matti

If ACL is needed for controlling inter-vlan traffic, the other options you may consider are Cisco 800 series routers or ASA5505.

Both support ACL on vlan interfaces.  SA500 today doesn’t support ACL on vlans.  We’ll consider the suggestions in our future development plan. Please work with your sales representative for product updates.

It sounds you are doing quiet design with switching networks.  Here are some perspectives about SA 500 LAN switching ports in case you find it useful.

The LAN ports of SA500 today is more optimized for speed and interconnecting to switching networks. 

Traffic flowing between those ports can be at GE speed.  So if it’s possible to design new networks to avoid inter-vlan traffic, the box can provide quiet good performance for intranetworking, such as client-server app. and data backup usage.

Also, the LAN ports are all capable for trunking.  So if you have 5 VLANs defined in your switch networks, you don’t need use 5 dedicate ports – one for each of the 5 vlans, to connect to a switch. This can save you some ports for redundancy design or let you scale to support more vlans as your customer's business grows.

Hopefully this helps.

Cheers,

Richard

I'm having a similar problem.  Does anyone following this thread have any approaches, possibly using CCA, to implement MAC level ACL's quickly to take advantage of the speed while segregating traffic...NAT on LAN side? Design pattern for putting everything through DMZ?  The speed is attractive vs. alternatives but I have to segrate the traffic for security in any regard...

Hi ambleside,

Which platform you need to know about the capabilities you have mentioned? Is it UC500 or ASA55XX platforms?

This forum is for SA500 series security devices.

Thanks,

Biraja

Hello,

I got some more info from local Cisco representative, that this SA520 product shouldn´t be sold to business users at all. It is not a firewall, it is not a VPN capable device, it is not even Cisco´s own product.. We are now specifying right device for my purposes.

Regards, Kn

Kuminauha,

A new message was posted in the thread "Restrict access between VLAN?":

https://www.myciscocommunity.com/message/47736#47736

Author : biraja

Profile : https://www.myciscocommunity.com/people/biraja

Message:

Kuminauha,

The Cisco SA500 Series are security appliances that do include firewall and VPN functionality (both IPsec and SSL VPN).  They are Cisco products.  If you require a firewall that includes the ability to apply firewall policy between VLANs, then the SA 500 Series does not currently provide that level of functionality.  It does allow you to block traffic from going from one VLAN to another, but does not provide a means to apply a detailed firewall policy.  As mentioned in an earlier post, the ASA 5500 Series and the ISR 800 Series devices do provide that functionality today.

Cheers,

Stephen

I can´t believe this bullshit!

"It does allow you to block traffic from going from one VLAN to another,

but does not provide a means to apply a detailed firewall policy." This

means that my scissors can do the same, just cut the Ethernet cable in

half. Or my dog, pulling the wire out from the same switch, no IP traffic

or IP traffic.

My Cisco representative, working at Cisco, says me that SA520 is not Cisco

own product, it is not a real firewall (stateful, freely filtering traffic

between subnets), it cannot filter traffic between VLAN subnets and even

VPN tunneling doesn´t work properly.

You say as so many others, that I need ASA5000 or ISR 800, how come you

sold me this peace of a shit in a box in the first place? If marketing

leaflet says "firewall", "VLAN subnetting" and so forth, this SA520 should

be capable doing that, without any explanations. How this is so difficult?

Firewall, subnets, filtering traffic. If you understand firewall

differently, please tell it to the customers also, clearly, and before

they buy it.

Please close this worthless conversation, no any answers are needed any

more with this.

Kn

Kuminauha,

>

A new message was posted in the thread "Restrict access between VLAN?":

>

https://www.myciscocommunity.com/message/47761#47761

>

Author : Stephen Burke

Profile : https://www.myciscocommunity.com/people/steburke

>

Message:

Neither UC nor ASA - SA540...

So, looks like I just dropped $600+ on a so-called "security appliance" that can't perfrom simple "security functions" as found in $100 off the shelf routers?

Nice