Re: Catalyst 6500 ACL Placement

packetzen · ‎12-10-2009

Hi All,

First post so go easy on me. What is the proper placement for ACL's on a cat using fwsm. Are there advantages / disadvantages to placing in fwsm or on the switch or msfc.

Network is: internet -- msfc -- fwsm -- several vlans hosting web apps.

Thanks!

Jon Marshall · ‎12-10-2009

packetzen wrote:

Hi All,

First post so go easy on me. What is the proper placement for ACL's on a cat using fwsm. Are there advantages / disadvantages to placing in fwsm or on the switch or msfc.

Network is: internet -- msfc -- fwsm -- several vlans hosting web apps.

Thanks!

If you have an FWSM and you are trying to protect the vlans with web apps then on the outsde interface of your FWSM assuming the outside interface is the one connected to the msfc in your above diagram.

However if the internet goes straight to the 6500 ie. there is no firewall other than the FWSM then you may have the wrong topology. It all depends on what else is on the 6500. If the 6500 is used purely for DMZs then you can use the above topology but if the 6500 has internal servers that are not meant to be accessed by the internet then i would suggest the topology

internet -> fwsm -> msfc -> web vlans

OR

internet -> fwsm -> web vlans

the second one does not use the MSFC. This doesn't mean you can't use the MSFC for other devices and bear in mind with the FWSM you can have multiple contexts.

A clearer answer can be given if you could clarify what else, if anything, is on the 6500.

One thing to say for sure though is in your scenario you definitely wouldn't want to use just acls.

Jon

packetzen · ‎12-17-2009

I would say for the most part all of the servers are accessible via the internet. However, there are servers and other vlans that are not part of the outside network.

Can you calify the difference in the two? How is the second topo more secure than the first?

internet -- msfc -- fwsm -- vlans

and

internet -- fwsm - msfc - vlans

Thanks!!

Jon Marshall · ‎12-17-2009

packetzen wrote:

I would say for the most part all of the servers are accessible via the internet. However, there are servers and other vlans that are not part of the outside network.

Can you calify the difference in the two? How is the second topo more secure than the first?

internet -- msfc -- fwsm -- vlans

and

internet -- fwsm - msfc - vlans

Thanks!!

If there are vlans connected to the MSFC that are not firewalled and these have devices that you do not want to give access to from the internet, or there are perhaps WAN connections connecting to the 6500 on the MSFC then allowing the Internet straight onto your MSFC is clearly very insecure ie. in theory you could route from the internet straight to non-internet servers or the WAN.

That is why the 2nd topology is much better because you can firewall all traffic from the internet.

I have used the first topology above in a data centre environment where the outside was not the internet but the rest of the corporate WAN so it is a valid design just not when the internet is connected straight to the outside.

Jon

Ganesh Hariharan · ‎12-18-2009

Hi ,

As per my suggestion you can have interface between msfc and in FWSM as outside interface and apply rules in in direction for outside interface for in coming traffic for different vlans.

Internet ----MFSC--- (outside)FWSM-- vlans

So that you can controll the in coming traffic entering in to your network via FWSM.

Hope this helps

Regards

Ganesh.H