Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
557
Views
0
Helpful
2
Replies

Data Centre Connectivity to Firewalls and WAN circuits

dm2020
Level 1
Level 1

‎03-25-2019 01:28 AM

Hi All,

 

I have a design question that I'm hoping that someone can help with.

 

I have a new DC that consists of two Nexus 9K core switches and two 9K access switches. The core and access switches are connected together using a back-to-back vPC. The core switches only have SFP+ ports and the access switches have 1000Base-T ports.

 

I have to connect the Cisco ASA firewalls and WAN routers to the topology. I'm wondering if its best to connect these directly to the core, and purchase some GLC-T modules for these, or if there are no issues connecting directly to the access switches? I have seen lots of designs where these devices either connect to the core or connect to a WAN aggregation switch which is connected to the core in a similar back-to-back vPC fashion.

 

Any guidance would be appreciated

 

Thank you

Labels:
0 Helpful
2 Replies 2

Mark Malone
VIP Alumni
VIP Alumni

‎03-25-2019 01:49 AM

Hi
I would connect them to the core and run L3 between them , its supported from release 7.0(3)I5(1) on 9ks

Configuring Layer 3 over vPC
Added support for configuring Layer 3 over vPC.
7.0(3)I5(1)

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/interfaces/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x_chapter_0100...

Configuring Layer 3 over vPC
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎03-25-2019 03:17 AM

Hi,

Let's understand, why you will connect Firewall on Core switch?

 

 Your LAN traffic will go to Core switch and Core switch will forward to the Firewall. In this case, you will use the Core switch routing/backbone bandwidth and it will faster. If your traffic goes back to the access switch from the core switch then there will uplink port double utilization, Access is slower compare to the core switch, L3 routing limitation on Access switch, increasing broadcast domains on the network. 

If your access switch will go down or faulty then the complete network will down. 

 

The biggest issue which I am always recommending that the Core switch means a less and non-touchable switch in a day to day life. But Access switch or distribution switch it will require daily changes as port changes/VLAN changes/Port security violation etc. (completely depends on network).

 

Regards,

Deepak Kumar

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card