Due to legacy design, our Management VLan (where consoles of various servers, ESXi hosts, devices including WAF & Firewalls) are open to users to ssh/ssl in (though password will be prompted).
There's an urgency to fix this: I heard this VLAN sits on either the core or distribution Layer3 switches & not behind firewall : to migrate it to behind firewall is going to take time & we may not have enough free firewall port/leg.
What's the fastest & safest (ie without causing disruption when making change) to get this VLan filtered/protected (pending firewall being purchased which will take a while) as it's considered quite a risk.
I suggest to put ACLs on the distribution/core switch but my netwk admin objected, saying core switch's function is
for fast routing/switching & we should not put ACLs as it will slow down the routing/switching. He further argued that such ACL can be complex & accidentally blocked dynamic routing protocols (EIGRP & OSPF etc), causing disruption.
Our core & distribution switches sit in the same Nexus chassis.