We have a pair of 3750 (collector) swtiches trunked together with a pair of ASA5510 Firewalls connected to them. We want to attach different LAN segments to the Collector switches - which are at different security levels - and so cannot have access to each other through the collectors - but they all require access to the firewalls. We have considered using private vlans on the collectors but we need to be able to route from access switches on each segment to the firewalls. Protected ports on teh Collectors would work if it would span across the trunk - but they don't.
If we use a VACL on teh collector which allows anyone to talk to only the firewalls and the firewalls to talk to anyone would that provide any security beyone using a regular ACL. What are the secuirty risks of using VACL's that the network could be compromised?