We are pulling together a solution for a customer where we are looking at procuring a pair Cisco 4510RE with Sup 7E and 5 wire rate line cards. Each line card in the chassis will be a unique vlan with SVI configured. We intend to trunk the 5 vlans via the 10gb interfaces on the Sup to a pair of Juniper ISG2000 firewalls in Master/Slave mode, where each vlan will have its own layer 3 subinterface configured.
Each of the attached servers in all vlans will have their gateways configured on their respective ISG2000 subint, not on the 4510 switch.
The questions I have are:
1) We need to enable netflow so as to see the inter-vlan traffic. As the only L3 IP associated with each vlan is their SVI, can this be used as the required L3 interface for Network monitoring ?
2) Do we have to enable IP Routing on the 4510 to allow the above to work.
3) If we do this, when server A in vlan 10 wants to talk to server A in vlan 20, will the 4510 PFC identify this as being a directly connected network and switch the traffic via its own switch fabric, and thus bypass the firewall gateway altogether ?
If what I descibe in 3 above were to happen, we would have to abandon this design and look at possibly using 3750x with network service modules for netflow.
Any assistance or thoughts would be greatly appreciated guys.