First post so go easy on me. What is the proper placement for ACL's on a cat using fwsm. Are there advantages / disadvantages to placing in fwsm or on the switch or msfc.
Network is: internet -- msfc -- fwsm -- several vlans hosting web apps.
If you have an FWSM and you are trying to protect the vlans with web apps then on the outsde interface of your FWSM assuming the outside interface is the one connected to the msfc in your above diagram.
However if the internet goes straight to the 6500 ie. there is no firewall other than the FWSM then you may have the wrong topology. It all depends on what else is on the 6500. If the 6500 is used purely for DMZs then you can use the above topology but if the 6500 has internal servers that are not meant to be accessed by the internet then i would suggest the topology
internet -> fwsm -> msfc -> web vlans
internet -> fwsm -> web vlans
the second one does not use the MSFC. This doesn't mean you can't use the MSFC for other devices and bear in mind with the FWSM you can have multiple contexts.
A clearer answer can be given if you could clarify what else, if anything, is on the 6500.
One thing to say for sure though is in your scenario you definitely wouldn't want to use just acls.
I would say for the most part all of the servers are accessible via the internet. However, there are servers and other vlans that are not part of the outside network.
Can you calify the difference in the two? How is the second topo more secure than the first?
internet -- msfc -- fwsm -- vlans
internet -- fwsm - msfc - vlans
If there are vlans connected to the MSFC that are not firewalled and these have devices that you do not want to give access to from the internet, or there are perhaps WAN connections connecting to the 6500 on the MSFC then allowing the Internet straight onto your MSFC is clearly very insecure ie. in theory you could route from the internet straight to non-internet servers or the WAN.
That is why the 2nd topology is much better because you can firewall all traffic from the internet.
I have used the first topology above in a data centre environment where the outside was not the internet but the rest of the corporate WAN so it is a valid design just not when the internet is connected straight to the outside.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...