Cisco Support Community
Community Member

Recommendation on having ACL on the switch or on the FW?

Hi There,

I have a setup of a core switch connected through a trunk link to a PIX535 FW; currently I have 150 users and the PIX is doing the ACL between the different VLANs. However, in the future the organization will grow to 2000+ users and I'm afraid of performance degradation on the FW side if we maintained the ACL on its side.

From security-perspective, is it better to keep the ACL managed by the PIX FW and not by the core switch? And from performance-perspective is it recommended in my scenario to move the ACL to the core switch so the performance of the PIX doesnt get degraded?

Also, my core switch is 4 X Catalyst 3750 switches stacked together, will there be any performance problems when my organization grows to 2000+ users with this type of switch? (i.e. should we consider moving to a higher-end model like 4500 series or 6500 series)?

Appreciate your feedback.




Re: Recommendation on having ACL on the switch or on the FW?

Hi Haith,

Cisco 3750 is designed to use for small & medium sized networks, since you say that your network is going 2 get increased 2000 plus users, you need to consider going in for either 4500 or 6500 series switches, you can also put the access-list on these switches & performance will not affect. deciding the switch should also be considered what type of application going to run on the network, lets say that if you using it for Audio/Video Applications with more than 2000 plus users, you should really need to go in for 6500 series switches, bcoz files size of these applications will be huge.

hope this helps.

rate this post if cleared. if not please lemme know

Community Member

Re: Recommendation on having ACL on the switch or on the FW?


Thanks for your input... So, what I understnad from your post is that the 3750 switches are designed for small&medium size networks, whileas 4500 and 6500 are for large enterprises. My question here, when choosing between 4500 and 6500 switches, what should I mainly base my decision on in order to slect which series to go with?

Finally, what is the recommendation when choosing b/ having an ACL on the FW or on the L3 Switch?



Re: Recommendation on having ACL on the switch or on the FW?


best practice is to put ACL near to the source so you can save bandwidth of the path which carry the traffic which needs to be blocked.

in your case, you can apply ACL on the L3 switch on the VLAN interface if you have implemented VLANs or on the interface of switch from where the traffic is coming inside to your network.

hope this helps or let me know if you have any questions ...

CreatePlease to create content