01-16-2013 04:51 AM - edited 03-07-2019 11:07 AM
Hi all,
We have this case :
A CISCO 3750-X stack with several VLANs and many ACLs applied to the virtual interfaces. Intervlan routing is on. Connected to this stack are VMware hosts and with about 500 VMs.
We started using the ACLs to allow connectivity between VLANs to specific hosts and it has grown to thousands of lines. I personally do not think this is good for the switch and believe the switch was not intended to be used for that security feature.
The simplified environment looks like this:
INTERNET ROUTER =====EXTERNAL FIREWALL ======CORE ROUTER=====3750-X SWITCH STACK
QUESTIONS:
- Does it make it sense to add an "internal firewall" between the CORE ROUTER AND THE 3750-X SWITCH STACK ?
- Do you recommend any other way?
- Any recommended CISCO resource/white paper to read about best practice?
Thanks
John
01-16-2013 07:42 AM
The proof is in the memory.
The 3750X is a fairly robust switch. I have seen devices with a lot less hardware run multiple ACLs that were individually thousands of lines long without issue. Are you observing any problematic behavior from the switch, does it have very high memory utilization? If not there is not a reason you cannot keep the ACLs where they are.
If you are concerned about the ability of the 3750X to handle the load, you do not necessarily need to introduce a firewall into the mix. If ACLs are doing the job effectivly I would stick with that approach. You could always convert the link to the core router to a trunk, push the VLANs across the link and terminate them on the core router. Then the core router would be able to process the ACLs for you. However, if you have a lot of inter-VLAN traffic on the 3750X, you would have to be concerned about link saturation.
01-16-2013 09:56 AM
Thanks Gregory.
Yes I am concerned about link saturation if I offload ACLs from the switch stack.
Assuming that performance is an issue and I leave them on the switch. Isn't a risk to leave your packets flowing without a stateful inspection ?
Easier management of access list and security are the main drivers of this possible change.
I would think this is a pretty common scenario for mid-size companies, especially nowdays when users are so mobile. All of our users have laptops and they have antivirus/antimalware running on them but I do not quite trust then when they access our servers.
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide