https://community.cisco.com/t5/network-security/asa-55xx-layer-2-vs-layer-3-best-practice/m-p/1487345#M726045 <HTML><HEAD></HEAD><BODY><P>I guess I should have been a little more clear - should the switches be running Layer 2 or Layer 3.</P><P></P><P>Option 1 - Layer 2 switch, requires trunking and static route statements on the firewall. </P><P></P><P>Option 2 - Layer 3 switch, use VLAN subinterfaces, trunking.</P><P></P><P>I think both require static NAT statements to allow the VLANs with same security level to communicate.</P></BODY></HTML> Mon, 31 May 2010 17:30:50 GMT sdhill 2010-05-31T17:30:50Z https://community.cisco.com/t5/network-security/asa-55xx-layer-2-vs-layer-3-best-practice/m-p/1487343#M726043 <P>Depending on the person at TAC some recommend using only layer 2 and while others suggest using layer 3 when using the firewall in routed mode and not utilizing a router. So what does everyone think? Keep in mind the possibility of using VPN access due to hairpin issues.</P><P></P><P>Should you use a layer 3 switch, define the VLANS, turn on ip routing, and trunk to the firewall interface with VLAN subinterfaces? or</P><P></P><P>Use a layer 2 switch, define the VLANS, use ip default-gateway, and define static routes on the firewall?</P> Mon, 11 Mar 2019 17:52:37 GMT https://community.cisco.com/t5/network-security/asa-55xx-layer-2-vs-layer-3-best-practice/m-p/1487343#M726043 sdhill 2019-03-11T17:52:37Z https://community.cisco.com/t5/network-security/asa-55xx-layer-2-vs-layer-3-best-practice/m-p/1487344#M726044 <HTML><HEAD></HEAD><BODY><P>Since you would like to terminate VPN on the ASA, then you would need to go with Layer 3 (routed firewall), because Layer 2 (transparent firewall) does not support VPN termination.</P><P></P><P>Here are a list of things that are not supported on Layer 2 firewall for your reference:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/fwmode.html#wp1222823">http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/fwmode.html#wp1222823</A></P><P>(<SPAN class="content">Table 4-1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Unsupported Features in Transparent Mode)</SPAN></P><P></P><P>The actual doc also explains both firewall as a routed and transparent firewall for your reference:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/fwmode.html">http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/fwmode.html</A></P><P></P><P>Hope that helps.</P></BODY></HTML> Mon, 31 May 2010 10:18:53 GMT https://community.cisco.com/t5/network-security/asa-55xx-layer-2-vs-layer-3-best-practice/m-p/1487344#M726044 Jennifer Halim 2010-05-31T10:18:53Z https://community.cisco.com/t5/network-security/asa-55xx-layer-2-vs-layer-3-best-practice/m-p/1487345#M726045 <HTML><HEAD></HEAD><BODY><P>I guess I should have been a little more clear - should the switches be running Layer 2 or Layer 3.</P><P></P><P>Option 1 - Layer 2 switch, requires trunking and static route statements on the firewall. </P><P></P><P>Option 2 - Layer 3 switch, use VLAN subinterfaces, trunking.</P><P></P><P>I think both require static NAT statements to allow the VLANs with same security level to communicate.</P></BODY></HTML> Mon, 31 May 2010 17:30:50 GMT https://community.cisco.com/t5/network-security/asa-55xx-layer-2-vs-layer-3-best-practice/m-p/1487345#M726045 sdhill 2010-05-31T17:30:50Z https://community.cisco.com/t5/network-security/asa-55xx-layer-2-vs-layer-3-best-practice/m-p/1487346#M726046 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The fact that you use L2 or L3 switches behind the ASA, it will just change how the ASA look at this devices.</P><P></P><P>For example,</P><P>If you configure the switches at L2, the ASA will look at the switches as regular L2 switches and will share a subnet with the next L3 device on the path to the inside.</P><P>If you configure the switches at L3, the ASA will look at those switches as routers.</P><P></P><P>Which are the benefits or disadvantages of one solution over the other depends on your entire topology (hard to tell without knowing the layout).</P><P></P><P>If you can post a simple diagram with what you're planning to do, I think you'll get more help here.</P><P></P><P>Federico.</P></BODY></HTML> Mon, 31 May 2010 17:36:07 GMT https://community.cisco.com/t5/network-security/asa-55xx-layer-2-vs-layer-3-best-practice/m-p/1487346#M726046 Federico Coto Fajardo 2010-05-31T17:36:07Z