Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
344
Views
0
Helpful
2
Replies

VLANs ACLs in a 3750 switch stack

johnramz
Level 1
Level 1

‎01-16-2013 04:51 AM - edited ‎03-07-2019 11:07 AM

Hi all,


We have this case :


A CISCO 3750-X stack with several VLANs  and many ACLs applied to the virtual interfaces. Intervlan routing is on. Connected to this stack are VMware hosts and with about 500 VMs.


We started using the ACLs to allow connectivity between VLANs to specific hosts and it has grown to thousands of lines. I personally do not think this is good for the switch and believe the switch was not intended to be used for that security feature.


The simplified environment looks like this:



INTERNET ROUTER =====EXTERNAL FIREWALL ======CORE ROUTER=====3750-X SWITCH STACK



QUESTIONS:


- Does it make it sense to add an "internal firewall" between the CORE ROUTER AND THE 3750-X SWITCH STACK ?

- Do you recommend any other way?

- Any recommended CISCO resource/white paper to read about best practice?


Thanks


John

Labels:
0 Helpful
2 Replies 2

Gregory Snipes
Level 4
Level 4

‎01-16-2013 07:42 AM

The proof is in the memory.

     The 3750X is a fairly robust switch. I have seen devices with a lot less hardware run multiple ACLs that were individually thousands of lines long without issue. Are you observing any problematic behavior from the switch, does it have very high memory utilization? If not there is not a reason you cannot keep the ACLs where they are.

     If you are concerned about the ability of the 3750X to handle the load, you do not necessarily need to introduce a firewall into the mix. If ACLs are doing the job effectivly I would stick with that approach. You could always convert the link to the core router to a trunk, push the VLANs across the link and terminate them on the core router. Then the core router would be able to process the ACLs for you. However, if you have a lot of inter-VLAN traffic on the 3750X, you would have to be concerned about link saturation.

0 Helpful

johnramz
Level 1
Level 1
In response to Gregory Snipes

‎01-16-2013 09:56 AM

Thanks Gregory.

Yes I am concerned about link saturation if I offload ACLs from the switch stack.

Assuming that performance is an issue and I leave them on the switch. Isn't  a risk to leave your packets flowing without a stateful inspection ?

Easier management of access list and security are the main drivers of this possible change.

I would think this is a pretty common scenario for mid-size companies, especially nowdays when users are so mobile. All of our users have laptops and they have antivirus/antimalware running on them but I do not quite trust then when they access our servers.

John

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card