cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
317
Views
20
Helpful
12
Replies
edwinrombouts
Beginner

What cisco switches support ACL established key?

Hi, I'm doing an internship as IT-engineer and looking into new networkdevices for the new office building (company of about 60 employees, but growing). Routing is currently performed by a Cisco ASA Firewall and switching by D-Link switches (DGS-1510). I suggested the routing could be done by L3 switches, but there's a problem with that: traffic from the Administrative VLAN to the Production VLAN should be allowed, but not vice versa except statefull traffic. So I was thinking this could be done with an extended ACL established on a Cisco switch - only response traffic that's part of a session initiated on Administration can return from the Production vlan.
I've been trying to find out which devices support the 'established' key, but without success. I suspect it might be related to the IOS running on the device, but again: no information to be found about the IOS any Cisco device is running. I was looking at Cisco Bussiness 350 series, but it would seem this runs some sort of 'light' version of IOS, so I have no idea if that device would be suitable for statefull ACLs.

 

I welcome any feedback about this, thanks in advance.

Edwin 

1 ACCEPTED SOLUTION

Accepted Solutions

On that note: what is the benefit of a L3 switch over a L2 switch if all traffic must pass a firewall before it can be routed?

 

Not all traffic must go through Firewall. Most traffic is expected to be routed inside the network and only internet traffic usually go to firewall.

So, L2/L3 switches is the right equipament when traffic can be routed back and forth inside your network. But, you are presenting a very specific requirement. You want something that Firewall must do, not switches. That´s the point.

  In a heavy traffic company, an ACL like that can slow down switches performance for the simple reason that they are doing another´s device work.

 Routing and switch is one thing. Traffic filtering is another thing.

 

View solution in original post

12 REPLIES 12
Flavio Miranda
Advisor

But if ASA is the Layer 3 device why dont you use ASA to control this traffic? 

At the moment there are only 2 vlans (since recently actually, before everything was on 1 VLAN), so the ASA doesn't have much routing work. The plan is to split the network up into more vlans (administrative, production, guest wifi, camera's, printers,...), which implicates the ASA will have a lot more routing to do. A layer 3 switch could take over the LAN routing to lighten the burden on the ASA, which would then be mainly used as firewall and gateway to the internet.

But since the traffic from Production can't have access to the Adm. Vlan unless it's statefull, this traffic would need to go through the ASA first. So in the end the ASA would do the routing. To avoid needing the ASA to implement this rule, I was thinking of an extended ACL with established key on a Layer 3 switch instead.

Well, never heard such feature on cisco switch.  And, you can for sure use ASA for this, otherwise what else we need a firewall, right?  Dont make sense delegate the work of filtering traffic to a switch when you have a firewall. Switch is made for switching, not filtering. 

Which ASA do you have? Let´s see how far it can go?   And if you had to by something, I´d prefer to by a btter firewall instead. 

It exists in Packet Tracer L3 switches (3560 and 3650), so assume it's available 'in the real world'. The ASA is a 5500. I know I can use the ASA for this, but the whole point is relying on L3 switches for routing. As I'm still a student, I lack the experience to see how I can separate the firewall function from the routing function. The way I see it at this point: if we can overcome the issue of the stateful rule for the Adm./Prod VLAN, then we can have all LAN routing be done by the switch, and all internet access filtering be done by the firewall. 

 

On that note: what is the benefit of a L3 switch over a L2 switch if all traffic must pass a firewall before it can be routed?

 

There is no real benefit to L3 switch if you are simply passing traffic to firewall. 

 

Some L3 switches do support the established keyword and you can check the command references but be aware that even though it might be an option according to the documentation it may or may be available and/or work. 

 

That said if you do need stateful filtering firewalls really are the device you should be using. 

 

Jon

So from all the responses I gather that due to the need for this stateful rule, the idea of routing on L3 switches is out the door?

It would be best to buy a powerfull firewall and just leave the switches to switching...

 

If you want to have stateful firewalling between all vlans then yes it makes more sense just to have a L2 switch and do L3 on a firewall. 

 

If you need a mix a L3 switch for the non firewalled vlans and firewall for the others. 

 

Jon

On that note: what is the benefit of a L3 switch over a L2 switch if all traffic must pass a firewall before it can be routed?

 

Not all traffic must go through Firewall. Most traffic is expected to be routed inside the network and only internet traffic usually go to firewall.

So, L2/L3 switches is the right equipament when traffic can be routed back and forth inside your network. But, you are presenting a very specific requirement. You want something that Firewall must do, not switches. That´s the point.

  In a heavy traffic company, an ACL like that can slow down switches performance for the simple reason that they are doing another´s device work.

 Routing and switch is one thing. Traffic filtering is another thing.

 

edwinrombouts
Beginner