03-25-2019 01:28 AM
Hi All,
I have a design question that I'm hoping that someone can help with.
I have a new DC that consists of two Nexus 9K core switches and two 9K access switches. The core and access switches are connected together using a back-to-back vPC. The core switches only have SFP+ ports and the access switches have 1000Base-T ports.
I have to connect the Cisco ASA firewalls and WAN routers to the topology. I'm wondering if its best to connect these directly to the core, and purchase some GLC-T modules for these, or if there are no issues connecting directly to the access switches? I have seen lots of designs where these devices either connect to the core or connect to a WAN aggregation switch which is connected to the core in a similar back-to-back vPC fashion.
Any guidance would be appreciated
Thank you
03-25-2019 01:49 AM
03-25-2019 03:17 AM
Hi,
Let's understand, why you will connect Firewall on Core switch?
Your LAN traffic will go to Core switch and Core switch will forward to the Firewall. In this case, you will use the Core switch routing/backbone bandwidth and it will faster. If your traffic goes back to the access switch from the core switch then there will uplink port double utilization, Access is slower compare to the core switch, L3 routing limitation on Access switch, increasing broadcast domains on the network.
If your access switch will go down or faulty then the complete network will down.
The biggest issue which I am always recommending that the Core switch means a less and non-touchable switch in a day to day life. But Access switch or distribution switch it will require daily changes as port changes/VLAN changes/Port security violation etc. (completely depends on network).
Regards,
Deepak Kumar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide