On 4/7/09, Michael Helmeste <mhelmest@uvic.ca> wrote:
Hi all, One of the duties of my current place of employ is reorganizing the network. We have a few Catalyst 6500 series L3 switches, but currently do all packet filtering (and some routing) using a software based firewall. Don't ask me, I didn't design it :)
Current security requirements are only based on TCP and non-stateful UDP src/dst net/port filtering, and so my suggestion was to use ACLs applied on the routed interface of each VLAN. There was some talk of using another software based firewall or a Cisco FWSM card to filter traffic at the border, mostly for management concerns. We expect full 1 gig traffic levels today, and 10 gig traffic levels in the future.
I view ACLs as being a cheap, easy to administrate solution that scales with upgrades to new interface line speeds, where a full stateful firewall isn't necessary. However, I wanted to get other opinions of what packet filtering solutions people use in the border and in the core, and why.
ACLs are a cheap solution; ease of administration depends on your scale in terms of number of entries. Keep in mind that depending on your hardware platform, using ACLs can run into unexpected limitations. If you're considering doing this on the 6500 platform, read up on TCAM limitations and L4Op/LOU operator limits: http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09... It can be a very rude awakening when you add one more seemingly innocuous ilne to your ACL, and discover the entire thing has suddenly gone into software switched mode. With that caveat aside, there are many large sites that do make use of ACLs as part of their security repetoire. It's definitely something to consider, just be aware of your hardware platform's limitations before diving in headfirst. Matt
What's out there, and why do you guys use it? How do you feel about the scalability, performance, security, and manageability of your solution? What kind of traffic levels do you put through it?