12-26-2011 02:55 PM
We have a customer who is replacing older Dell switches with Cisco SG300-52s. On one of the SG's they'll need 6 ports reserved on a VLAN for public Internet IPs (the 100Base-T uplink to the data center's Cisco switch as well as multiple Cisco ASA's to go to different networks (production, development, etc...) and the rest on the first and all 52 on the 2nd will be par of their production LAN (the other LANs served by the ASAs have their own switches behind them. On the ASAs we have ACLs to, for example, block port 25 to certain IPs (but allow it to their inbound MX servers). Here's the question, I guess questions:
1) Do the SGs allow me to create ACLs to block say port 25 at the switch level before they even get to the ASA's; and
2) Assuming #1 is yes, do I even want to do that or should I let the ASA's do that since firewalling is really what they're good at.
The ASA's get hammered all day long with remote IPs attempting to get into port 25, especially on their "mail.domain.com" IP, the question is it better to block it at the incoming switch or at the firewall?
Thanks...
01-14-2012 12:49 PM
Hi Brian,
Good to hear from you again.
There are a couple of rules you should be aware of with ACL's and their ACE definitions.
see admin guide page 307 onwards for any clarification.
I think more security is better than less, and access-lists in the switches offer wire speed filtering . The only drawback on this is the extra management you have to perform to set it up and maintain the ACE entries..
But the switch does allow for selectively adding a access list for INGRESS filtering of pattern matches of the ACE entries.
This I would think would affect your decision, as the needed access list needed to be attached to the port coming in from your Cisco router.
Click on the picture below to see a screen capture of most of the ACE options available to you, for packet permitting or denying.
I have told that ACE entry to deny TCP traffic to a specific destination HOST address (note the reverse mask).
regards Dave
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide