Catalyst 6500 ACL Placement

Unanswered Question
Dec 10th, 2009
User Badges:

Hi All,


First post so go easy on me.    What is the proper placement for ACL's on a cat using fwsm.  Are there advantages / disadvantages to placing in fwsm or on the switch or msfc.


Network is:  internet -- msfc -- fwsm -- several vlans hosting web apps.


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 12/10/2009 - 13:47
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

packetzen wrote:


Hi All,


First post so go easy on me.    What is the proper placement for ACL's on a cat using fwsm.  Are there advantages / disadvantages to placing in fwsm or on the switch or msfc.


Network is:  internet -- msfc -- fwsm -- several vlans hosting web apps.


Thanks!


If you have an FWSM and you are trying to protect the vlans with web apps then on the outsde interface of your FWSM assuming the outside interface is the one connected to the msfc in your above diagram.


However if the internet goes straight to the 6500 ie. there is no firewall other than the FWSM then you may have the wrong topology. It all depends on what else is on the 6500. If the 6500 is used purely for DMZs then you can use the above topology but if the 6500 has internal servers that are not meant to be accessed by the internet then i would suggest the topology


internet -> fwsm -> msfc -> web vlans


OR


internet -> fwsm -> web vlans


the second one does not use the MSFC. This doesn't mean you can't use the MSFC for other devices and bear in mind with the FWSM you can have multiple contexts.


A clearer answer can be given if you could clarify what else, if anything, is on the 6500.


One thing to say for sure though is in your scenario you definitely wouldn't want to use just acls.


Jon

packetzen Thu, 12/17/2009 - 14:00
User Badges:

I would say for the most part all of the servers are accessible via the internet.  However, there are servers and other vlans that are not part of the outside network.


Can you calify the difference in the two?  How is the second topo more secure than the first?


internet -- msfc -- fwsm -- vlans


and


internet -- fwsm - msfc - vlans


Thanks!!

Jon Marshall Thu, 12/17/2009 - 14:13
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

packetzen wrote:


I would say for the most part all of the servers are accessible via the internet.  However, there are servers and other vlans that are not part of the outside network.


Can you calify the difference in the two?  How is the second topo more secure than the first?


internet -- msfc -- fwsm -- vlans


and


internet -- fwsm - msfc - vlans


Thanks!!


If there are vlans connected to the MSFC that are not firewalled and these have devices that you do not want to give access to from the internet, or there are perhaps WAN connections connecting to the 6500 on the MSFC then allowing the Internet straight onto your MSFC is clearly very insecure ie. in theory you could route from the internet straight to non-internet servers or the WAN.


That is why the 2nd topology is much better because you can firewall all traffic from the internet.


I have used the first topology above in a data centre environment where the outside was not the internet but the rest of the corporate WAN so it is a valid design just not when the internet is connected straight to the outside.


Jon

Ganesh Hariharan Fri, 12/18/2009 - 00:10
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi ,


As per my suggestion you can have interface between msfc and in FWSM as outside interface and apply rules in in direction for outside interface for in coming traffic for different vlans.


Internet ----MFSC--- (outside)FWSM-- vlans


So that you can controll the in coming traffic entering in to your network via FWSM.


Hope this helps


Regards

Ganesh.H

Actions

This Discussion

Related Content