VACL's on 3750 Switch

Unanswered Question
Feb 4th, 2010

     We have a pair of 3750 (collector) swtiches trunked together with a pair of ASA5510 Firewalls connected to them. We want to attach different LAN segments to the Collector switches - which are at different security levels - and so cannot have access to each other through the collectors - but  they all require access to the firewalls.     We have considered using private vlans on the collectors but we need to be able to route from access switches on each segment to the firewalls.  Protected ports on teh Collectors would work if it would span across the trunk - but they don't.

If we use a VACL on teh collector which allows anyone to talk to only the firewalls and the firewalls to talk to anyone would that provide any security beyone using a regular ACL.  What are the secuirty risks of using VACL's that the network could be compromised?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sachinraja Thu, 02/04/2010 - 12:55

Hi Martin

Are the 3750's connected to ASA on layer 2 ? I saw that you mentioned that they are trunked together, but just wanted to confirm..

Incase you trunk this, you wouldnt need layer 3 VACL's on the switch, since the collector 3750 is only going to act as Layer 2 , with regards to the end users.. all desktops on the LAN would be having ASA as the default gateway, and ASA would be configured with appropriate NAT, Access-lists etc for it to allow traffic between one segment to another.. Yeah, if there are 10 PCs on the collector, on the same VLAN, they would be able to talk to each other, but inter vlan communication would be blocked unless allowed specifically in ASA...

incase you want to restrict communication on layer 2 betweeen end systems, you might have to look at MAC ACLs.. but really not sure if it is administratively feasible, since it involves lots of information and configuration.

Hope this helps.. all the best..


JSCHWENG_2 Thu, 02/04/2010 - 14:28

Thank you - yes the collectors would be a L3 switch but with one Vlan.   Ideally the Firewall and all the seperated LAN segments would have an interface on that Vlan.   But we would not want the seperated LAN segments to be able to route to each other through the collectors - only to the Firewalls. 

What is the security risk in using a VACL on the vlan - allowing only traffic from the Firewall out to all segments and all the segements to only talk to the Firewall?

sachinraja Thu, 02/04/2010 - 14:35

Hi Martin

Thanks for the explanation, but what do you mean by "Ideally the Firewall and all the seperated LAN segments would have an interface on that Vlan. " ? Are there more switches connected locally on the 3750 switch ?

In any case all the isolated segments seem to be layer 2 with respect to 3750.. for eg, u can have vlan 10, 20, 30 , 40 etc defined on the 3750 switch.. you have  a trunk from 3750 to ASA firewall.. On the ASA firewall, you can configure layer 3 interfaces for vlan 10,20,30,40 as:

vlan 10 -

vlan 20 -

vlan 30 -

vlan 40 - (say)

in this case, all traffic does flow through your ASA for access.. and you dont need to have VACLs confgiured on your 3750, since your vlans wouldnt cross each other on the 3750 ..

say you have your scenario altered- where 3750 takes all the VLAN SVI given above (10,20,30,40), and you would then have a seperate L3 between your 3750 and ASA.. in this case, yes, you can have VACLs blocking traffic on the 3750.. VACL is really good , and secure, but it increases a bit of administration...

Hope this helps.. all the best..



This Discussion