cancel
Showing results for 
Search instead for 
Did you mean: 

security groups versus network ACL to isolate traffic between subnets

New here

security groups versus network ACL to isolate traffic between subnets

Hi all:

 

I'm currently studying for comptia cloud exam and I  can't seem to decide the best answer for the following question.

I know it will be either security groups or network ACLs but which one is better in this case and why?

 

A cloud arhitect is asked to isolate  traffic  between subnets in an IaaS.The networks still  have to  communicate with  each other. Which one would you implement?

 

a.Configure security groups

b.configure HIPS

c.configure IDS

d.configurre network ACLs.

 

Thnx

4 REPLIES 4
Kind of a big deal

Re: security groups versus network ACL to isolate traffic between subnets

The only possible solution is an ACL.

 

A security group is simply a collection of hosts or subnets.  It in itself doesn't limit traffic.

 

Highlighted
Kind of a big deal

Re: security groups versus network ACL to isolate traffic between subnets

Not sure if this is really relevant on the Meraki forums lol, but, well, off the cuff...if the networks still need to communicate, then using an ACL would in theory block communication between them (assuming the ACL is blocking the entire vlan/subnet). With security groups I would imagine you can leave communication between the networks alone, but isolate it per group so that user1 can converse, user2 cannot etc.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
New here

Re: security groups versus network ACL to isolate traffic between subnets

but ACL   would block the traffic  between the networks(at lest thats my understanding of ACLs) and the questions states that they still should be able to communicate...

 

thnx

Kind of a big deal

Re: security groups versus network ACL to isolate traffic between subnets

Obviously don't put block rules in place for traffic you want to allow.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.