[c-nsp] VLANs ACLs in a 3750 switch stack

JA Colmenares sforcejr at yahoo.com
Wed Jan 16 07:43:42 EST 2013



Hi all,

We have this case :

A CISCO 3750-X stack with several VLANs  and many ACLs applied to the virtual interfaces. Intervlan routing is on. Connected to this stack are VMware hosts and with about 500 VMs.

We started using the ACLs to allow connectivity between VLANs to specific hosts and it has grown to thousands of lines. I personally do not think this is good for the switch and believe the switch was not intended to be used for that security feature.

The simplified environment looks like this:


          
 INTERNET ROUTER =====EXTERNAL FIREWALL ======CORE ROUTER=====3750-X SWITCH STACK


QUESTIONS:

- Does it make it sense to add an "internal firewall" between the CORE ROUTER AND THE 3750-X SWITCH STACK ? 
- Do you recommend any other way?
- Any recommended CISCO resource/white paper to read about best practice?

Thanks

Juan


More information about the cisco-nsp mailing list