Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1035
Views
21
Helpful
12
Replies

What cisco switches support ACL established key?

Go to solution
edwinrombouts
Level 1
Level 1

‎04-26-2022 03:02 AM

Hi, I'm doing an internship as IT-engineer and looking into new networkdevices for the new office building (company of about 60 employees, but growing). Routing is currently performed by a Cisco ASA Firewall and switching by D-Link switches (DGS-1510). I suggested the routing could be done by L3 switches, but there's a problem with that: traffic from the Administrative VLAN to the Production VLAN should be allowed, but not vice versa except statefull traffic. So I was thinking this could be done with an extended ACL established on a Cisco switch - only response traffic that's part of a session initiated on Administration can return from the Production vlan.
I've been trying to find out which devices support the 'established' key, but without success. I suspect it might be related to the IOS running on the device, but again: no information to be found about the IOS any Cisco device is running. I was looking at Cisco Bussiness 350 series, but it would seem this runs some sort of 'light' version of IOS, so I have no idea if that device would be suitable for statefull ACLs.

 

I welcome any feedback about this, thanks in advance.

Edwin 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP
In response to edwinrombouts

‎04-26-2022 06:00 AM

On that note: what is the benefit of a L3 switch over a L2 switch if all traffic must pass a firewall before it can be routed?

 

Not all traffic must go through Firewall. Most traffic is expected to be routed inside the network and only internet traffic usually go to firewall.

So, L2/L3 switches is the right equipament when traffic can be routed back and forth inside your network. But, you are presenting a very specific requirement. You want something that Firewall must do, not switches. That´s the point.

  In a heavy traffic company, an ACL like that can slow down switches performance for the simple reason that they are doing another´s device work.

 Routing and switch is one thing. Traffic filtering is another thing.

 

View solution in original post

12 Replies 12

Go to solution
Flavio Miranda
VIP
VIP

‎04-26-2022 03:31 AM

But if ASA is the Layer 3 device why dont you use ASA to control this traffic? 

0 Helpful

Go to solution
edwinrombouts
Level 1
Level 1
In response to Flavio Miranda

‎04-26-2022 04:10 AM

At the moment there are only 2 vlans (since recently actually, before everything was on 1 VLAN), so the ASA doesn't have much routing work. The plan is to split the network up into more vlans (administrative, production, guest wifi, camera's, printers,...), which implicates the ASA will have a lot more routing to do. A layer 3 switch could take over the LAN routing to lighten the burden on the ASA, which would then be mainly used as firewall and gateway to the internet.

But since the traffic from Production can't have access to the Adm. Vlan unless it's statefull, this traffic would need to go through the ASA first. So in the end the ASA would do the routing. To avoid needing the ASA to implement this rule, I was thinking of an extended ACL with established key on a Layer 3 switch instead.

Go to solution
Flavio Miranda
VIP
VIP
In response to edwinrombouts

‎04-26-2022 04:51 AM

Well, never heard such feature on cisco switch.  And, you can for sure use ASA for this, otherwise what else we need a firewall, right?  Dont make sense delegate the work of filtering traffic to a switch when you have a firewall. Switch is made for switching, not filtering. 

Which ASA do you have? Let´s see how far it can go?   And if you had to by something, I´d prefer to by a btter firewall instead. 

0 Helpful

Go to solution
edwinrombouts
Level 1
Level 1
In response to Flavio Miranda

‎04-26-2022 05:21 AM

It exists in Packet Tracer L3 switches (3560 and 3650), so assume it's available 'in the real world'. The ASA is a 5500. I know I can use the ASA for this, but the whole point is relying on L3 switches for routing. As I'm still a student, I lack the experience to see how I can separate the firewall function from the routing function. The way I see it at this point: if we can overcome the issue of the stateful rule for the Adm./Prod VLAN, then we can have all LAN routing be done by the switch, and all internet access filtering be done by the firewall. 

 

On that note: what is the benefit of a L3 switch over a L2 switch if all traffic must pass a firewall before it can be routed?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to edwinrombouts

‎04-26-2022 05:57 AM

 

There is no real benefit to L3 switch if you are simply passing traffic to firewall. 

 

Some L3 switches do support the established keyword and you can check the command references but be aware that even though it might be an option according to the documentation it may or may be available and/or work. 

 

That said if you do need stateful filtering firewalls really are the device you should be using. 

 

Jon

Go to solution
edwinrombouts
Level 1
Level 1
In response to Jon Marshall

‎04-26-2022 06:02 AM

So from all the responses I gather that due to the need for this stateful rule, the idea of routing on L3 switches is out the door?

It would be best to buy a powerfull firewall and just leave the switches to switching...

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to edwinrombouts

‎04-26-2022 06:18 AM

 

If you want to have stateful firewalling between all vlans then yes it makes more sense just to have a L2 switch and do L3 on a firewall. 

 

If you need a mix a L3 switch for the non firewalled vlans and firewall for the others. 

 

Jon

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to edwinrombouts

‎04-26-2022 06:00 AM

On that note: what is the benefit of a L3 switch over a L2 switch if all traffic must pass a firewall before it can be routed?

 

Not all traffic must go through Firewall. Most traffic is expected to be routed inside the network and only internet traffic usually go to firewall.

So, L2/L3 switches is the right equipament when traffic can be routed back and forth inside your network. But, you are presenting a very specific requirement. You want something that Firewall must do, not switches. That´s the point.

  In a heavy traffic company, an ACL like that can slow down switches performance for the simple reason that they are doing another´s device work.

 Routing and switch is one thing. Traffic filtering is another thing.

 

Go to solution
edwinrombouts
Level 1
Level 1

‎04-26-2022 06:28 AM

Thank you all for the quick responses. Though it seems odd to me that such an ACL exists if it has such an impact on the performance. Then again, my lack of experience probably makes me overlook other factors.

Go to solution
Flavio Miranda
VIP
VIP
In response to edwinrombouts

‎04-26-2022 06:38 AM

that´s realy OK @edwinrombouts . But, most features out there fix some specific problem and create few more. Our work as network engineer is make sure that things work in the best way:  Security, performance, etc. 

 Make it simple, always.

 

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to edwinrombouts

‎04-26-2022 07:28 AM

"Though it seems odd to me that such an ACL exists if it has such an impact on the performance."

On a L3 switch, an ACL might have almost no performance impact, the norm, or, often unusually, a very severe processing impact.  (ACL impact depends on whether ACEs are directly supported in hardware, or not.  If the former, generally you have very little performance impact and wire-speed.  If the latter, horrible performance.  Again, the latter is unusual.  Sometimes documentation will not ACL features not directly supported in hardware.  [A variant cause of L3 ACL having poor performance is TCAM overflow, most often due to very large ACLs.  Some switches support, configurable, modified hardware resource assignments based on expected usage.])

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎04-26-2022 06:50 AM

Yes, using an ACL with established "sort of" behaves as a stateful barrier would.  "Sort of" because an external packet could spoof the established bit.  This approach also is limited to just TCP based traffic.

Two other approaches (ignoring Cisco FW features available on routers) that are stateful, although also likely not to be supported on a "small" L3 switch, are reflexive ACLs or NAT.

Another approach is to use a classical ACL that only allows specific traffic flows in one or both direction (more difficult to maintain then a simple "established" ACE or reflexive ACL, but "advanced" FW rules can be complex too).

Lastly, as noted by others, a L3 switch generally is used for "internal" routing while a FW usually acts as a control to/from the Internet.  In fact, often a FW, with internal routing done on other L3 devices, might not route at all.  However, a FW can also operate in conjunction with your L3 switch.  I.e. it only need to "control" traffic to/from the Internet, and between your admin network and other networks.  Some FWs, that can do L3, might also support some routing protocol (often only RIP).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card