Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL in layer 3 switch compare to ASA firewall

Dear All,

I have got a task of limiting 2-3 VLANs communication to allow only some services like File sharing / Printing / Email / AD connections.

I am not sure if a layer 3 switch with ACL is already good enough for limiting the listed services?

Or I need a real firewall between the networks?

The purpose of limited to the list services is for security reason like hacked / virus pc in a VLAN spreading to all other VLANs.

Please advise.

Regards,

Roy

4 REPLIES
Cisco Employee

ACL in layer 3 switch compare to ASA firewall

My recommendation is to have a firewall instead of using switch. Reason being switch is designed to switch/route packet as fast as possible and having access-list is just denying or allowing stateless connection.

With firewall, it is inspecting the traffic statefully, and have other features by default that prevent various attacks, ie: maintaining the TCP session and incomplete session will be dropped by the firewall, various application layer inspections, etc.

ACL in layer 3 switch compare to ASA firewall

Hi,

I personally feel bringing a firewall in this scenario is the best choice to secure the network. Even though your switch can do the ACL but ACL in firewall will be a good solution.

Switch will do a better switching & firewall will do a better security for your network.

Having ACL in switch will gives a more load to the switch and its stateless.

You can use ACL's is switch for Qos/Line vty restriction/local host restriction. But intresting traffic towards WAN/Internet should be done with the Firewall as a best practice.

Please do rate if the given information helps.

by

Karthik

ACL in layer 3 switch compare to ASA firewall

Hi Bro

If the rules you want to apply are just few lines <10, go ahead and use the switch. Of course, it's good to have a dedicated FW for this, but if it's just for few lines, don't waste your company's money :-)

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

Re:ACL in layer 3 switch compare to ASA firewall

Hello roy,

You have to understand that the asa blocks traffic by default and you have to allow what is required.

Switches and routers by default allow all and you configure what is to be blocked. So if you have a lot of traffic passing through that por the cpu might get hit.

Asa is the recommended device for that job.

Sent from Cisco Technical Support Android App

Pls rate useful posts.

4028
Views
5
Helpful
4
Replies
CreatePlease to create content