Correct, all my my end devices in question are indeed using 10G NIC's. Well I suppose you answered my question... There are multiple vlans and they do talk, but being routing is done on firewall, it will not utilize 10G. Is the alternative to move the vlans [sourced] on the SG350XG. Unless of course.. there is a way.

I think there is a way to have the best of the two worlds - you can have the intervlan routing on the SG350XG which will be done at 10G and have another VLAN only for Internet access that will run at maximum 1Gbps. You can perform NAT on the FPR, using the subnets of the inside VLANs into the WAN IP's provided by your ISP.

Interesting.

So if I see this correctly, from the FPR I have my 6 vlans and TRUNK them to the SG Switch.. I create a 7th vlan for the 'SG to FPR' for Internet.

I currently do have my vlans with NAT to the WAN IP addresses. So the NAT's I have would stay in place but would this be a route issue on the SG like 0.0.0.0/24 [ip of new vlan] ?

No, my suggestion is to have the 6 VLANS on the switch and do intervlan routing and have a 7th VLAN for Internet access. 

Alright yes, that I understand.

Then you should have Firewall with higher capcity or stay locally switching to get 10GB, Do you have 10GB traffic inside Lan ?

Yeah I mean I suppose I could upgrade but for home that will not be an option. My end devices are 10G, my SG350XG is 10G.. Everything LAN side is 10G, but the Firewall is 1G.. Just curious if I could keep the "transfer of data" on the SG even though the FPR is doing NAT/ACL/Routing.. But maybe LG is on to something.

Whew that is changing it up for me. Looking at https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215351-configure-verify-and-troubleshoot-port.html#toc-hId-174539692 it seems it can be done.

A lot of these examples and suggestion assume the other end is known as well. From what I can see I create the Interfaces into the Port Channel and then I add the Sub-Interfaces [vlans?] into that which would be in my case 6 vlans. Each Sub Interface would ave the .1 IP as it would be the Gateway back to the FPR from the Switch over the Port Channel.

This allows the vlans on the Switch to still route back to the FTD but now using the higher GB Speeds due to Port Channel? In the example it shows 2 Interfaces. Is this an example or is this the limit? Assuming 1G interfaces, if I use 6 it would be a 6G throughput?

Hello @TheGoob ,

the FPR 1010 is a device for a branch office it cannot handle so much traffic even if you can setup a L2 portchannel combined with SVI VLANs interfaces the suggestion by  @liviu.gheorghe is the more correct one: move back inter vlan routing to the switch and have a new subnet with two interfaces in port-channel to connect to the FP1010. So NAT and internet access is managed by the firewall and your inter VLAN routing can achieve better performance.

Edit:

I may be wrong but you have put the same question some mounths ago. Is it correct ?

Hope to help

Giuseppe

I did but in the end I sort of achieved it but then got a lot of weird hangups, probably a configuration elsewhere that was wrong. Needless to say I accidentally lost my configuration when doing a downgrade so had to start over with no backup so wanted a new fresh approach.

"move back inter vlan routing to the switch and have a new subnet with two interfaces in port-channel to connect to the FP1010. So NAT and internet access is managed by the firewall and your inter VLAN routing can achieve better performance."

'Move back' as in make the Switch be the source of the vlans and create them there with DHCP Server(s) and remove them from the FPR and the FPR will only do the NAT and Internet access and then create the 2 Port-channels on FPR and SG and use that as the route back to the FPR for NAT/Internet, using 0.0.0.0/24 [IP of FPR] for Internet?

Hello @TheGoob ,

>> as in make the Switch be the source of the vlans and create them there with DHCP Server(s) and remove them from the FPR and the FPR will only do the NAT and Internet access and then create the 2 Port-channels on FPR and SG and use that as the route back to the FPR for NAT/Internet, using 0.0.0.0/24 [IP of FPR] for Internet?

yes this is the idea. DHCP server can be also an internal server or on the switch for the 6 VLANs/subnets.

the switch will have a static default route 0.0.0.0/0 pointing to the FPR 1010 on the new subnet.

The FPR 1010 will have 6 static routes pointing to the switch for the internal networks

Hope to help

Giuseppe

You may not get 6GB single speed, but Load-balance should give you enough room, and you can achieve better than 1GB.

Check the method it works :

https://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/12023-4.html