East-West Firewall Protection

SOLVED
ricvil
Comes here often

East-West Firewall Protection

The MX appliances have a pretty attractive set of advanced firewall features in the Advanced Security License.  My question is, do the appliances protect against spreading east-west malware for example?  As long as we plug in the LAN devices into available ports directly in the MX and all are in the same VLAN, does the MX actually inspect same VLAN traffic or does it simply switch it?

 

Thanks,

Ricardo

1 ACCEPTED SOLUTION
Bruce
Kind of a big deal

As Karsten stated, if the traffic is in the same VLAN then there is no inspection. If you’re passing traffic between VLANs then the MX firewalls apply as well as the IDS/IPS rules, but not the AMP - that only applies to traffic arriving directly on the WAN/internet port. So the MX can be good for macro level segmentation for a small server farm (where you can put each server in its own VLAN), the greatest limitation may by the throughput of the MX appliances (which Karsten’s suggestion of a Cisco Firepower may ‘fix’)

 

If you’re wanting to provide inspection for all traffic within a data centre, along the lines of micro segmentation, then l’d be looking at other technology. Something like Cisco ACI can achieve that, or there are options depending on what hypervisor you are using (e.g. VMware NSX).

View solution in original post

3 REPLIES 3
KarstenI
Kind of a big deal
Kind of a big deal

My last test (some time ago) showed no inspection for intra-VLAN traffic, but IPS is applied for inter-VLAN traffic. But I did not test transparent mode.

I would asume that for this usecase, there is not enough flexibility for tuning on the MX. I would look for a firepower appliance.

Bruce
Kind of a big deal

As Karsten stated, if the traffic is in the same VLAN then there is no inspection. If you’re passing traffic between VLANs then the MX firewalls apply as well as the IDS/IPS rules, but not the AMP - that only applies to traffic arriving directly on the WAN/internet port. So the MX can be good for macro level segmentation for a small server farm (where you can put each server in its own VLAN), the greatest limitation may by the throughput of the MX appliances (which Karsten’s suggestion of a Cisco Firepower may ‘fix’)

 

If you’re wanting to provide inspection for all traffic within a data centre, along the lines of micro segmentation, then l’d be looking at other technology. Something like Cisco ACI can achieve that, or there are options depending on what hypervisor you are using (e.g. VMware NSX).

ricvil
Comes here often

Understood.  Thanks for the insight.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels