Re: Cheapest switch that will run ACLs on ports ?

ajenks · ‎02-12-2009

I need the ability to restrict traffic between 2 LAN segments. I want to do this with dedicated hardware. I acheieved this using a 48 port 3750 switch with ACL's configured (spare hardware at the time), with 2 ports used (one connected to LAN A, one to LAN B). This is a waste of hardware.

I don't need any routing capablity in this device, so I am thinking I will replace it with the smallest (cheapest) switch capable of running ACL's on ports. I'm not sure all CISCO switches can do this ?

I currently apply the restrictions by host-host ip and the rules are not protocol specific. If I wanted to make the rules specific to certain protocols, can ACL's in switches do this ? or would that require a router ?

Joseph W. Doherty · ‎02-12-2009

If the 3750 worked for you, so should the 3560s. If you don't need multiple gig ports nor many ports, there's the 8 port model. A 2960 -L switch might work for you too. Available modules also include 8 port variants; in both 100 or gig models.

b.julin · ‎02-12-2009

The switches vary on the number of access list values and masks they can handle, so it kind of depends on how big these access lists get.

However for a device dedicated to this purpose only I think a 2960 might work fine. Though note they don't do it vlan access-map style, only per interface.

bench2960#show platform acl usage 0

IPV4/MAC ACL TCAM USAGE:

ACL Type Label Entries Used

L3INPUT 3 (P) 3

Used Available Total

Mask 30 354 384

Value 30 354 384

IPV6 ACL TCAM USAGE:

ACL Type Label Entries Used

Used Available Total

Mask 5 2 7

Value 5 12 17

bench2960#show platform acl usage 1

IPV4/MAC ACL TCAM USAGE:

ACL Type Label Entries Used

Used Available Total

Mask 27 357 384

Value 27 357 384

IPV6 ACL TCAM USAGE:

ACL Type Label Entries Used

Used Available Total

Mask 5 2 7

Value 5 12 17