Re: Layer 3 Boundary Access Switch

Cisco4Life · ‎04-10-2018

So I am pretty much stumped. I am redesigning a network and looking to bring the layer 3 boundary down to the Access Layer switches. That part is fine. Where I am having an issue is figuring out where to put my ASA to be able to separate the Lab and Admin networks which will be on a Layer 3 switch utilizing vlan 10 and vlan 110.

I would like to control traffic to/from vlan 10 and 110. My brain says the ASA would need to hang off an aggregate switch which the Access layer switches connect to, but thats where my brain is failing me..

So is this type of design possible? or would Ineed to bring the layer 3 boundary up to the Aggregate switches?

Thanks

Frank

Reza Sharifi · ‎04-10-2018

If you are trying to control access between vlans and you are routing at the access layer, the traffic would never reach the firewall. So, you can use the access layer as layer-2 only and move the routing to the firewall which can also be used as aggregation. You can then use the firewall to block communications between the vlans. The problem with this solution is that the firewalls usually don't have enough port to accommodate all access switches uplinks. The other option would be to use the access layer as layer-3 and use ACL to block communications between the 2 vlans. This is a simpler design.

HTH

Cisco4Life · ‎04-10-2018

Reza- Thanks for your input. Like you said; ACLs will be the best over solution if I want to keep the Layer 3 at the Access. Frank