cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2001
Views
5
Helpful
3
Replies

Layer 3 Switch vs ASA, which one for inter-vlan routing?

oborrero29
Level 1
Level 1

Greetings, 

I've been working on my GNS3 labs and I just finished configuring Routing on a Stick: Trunking (L2 switch w/multiple VLANS and trunk interface to > Router); and I've also completed a lab with L3 Switching and SVI's. From what I've seen in some environments most network setups looks like this, Server > L2 Switch > ASA (ASA Handles Inter-vlan routing); another alternative to that would be Server > L3 Switch > ASA; In this latter scenario where would/should the inter-vlan routing happen? Could a L3 switch and ASA work together? Are there benefits to either setup?  It seems to me that the ASA at it's heart is a L3 switch with WAN capabilities so is there even need for a L3 switch? What's the most common setup for ASA's?

1 Accepted Solution

Accepted Solutions

Hello.

First of all ASA is a security device. So how you use it, is really depend on your security requirements.

If you have some special security constraints on inter VLAN traffic routing (like in DMZ between different applications), then ASA should be routing traffic.

If you have a requirement to minimize latency and maximize throughoutput of your routing,, then L3 switch is your choice.

PS: L3 switch has it's cost in term of purchase and support, as well as ASA; so cost might become an important criteria.

View solution in original post

3 Replies 3

Hello.

First of all ASA is a security device. So how you use it, is really depend on your security requirements.

If you have some special security constraints on inter VLAN traffic routing (like in DMZ between different applications), then ASA should be routing traffic.

If you have a requirement to minimize latency and maximize throughoutput of your routing,, then L3 switch is your choice.

PS: L3 switch has it's cost in term of purchase and support, as well as ASA; so cost might become an important criteria.

Hi Vasilii, 

If I can apply ACL's to a L3 switch then what additional benefit can the ASA provide that the L3 switch can't do? Couldn't the L3 switch accommodate the special security constraints on inter VLAN traffic routing? I've read that by default L3 switches allow all traffic opposed to ASAs which block all traffic.

Hello.

First of all ASA is a great NAT device. So, if you need flexibility in NAT, then ASA is your chose.

ACLs you mentioned on L3 switch are one-way only, at the same time ASA is a stateful device, that tracks all the connections and may look deep inside (up to L7).

Let try other way: what are your security requirements and what is your budget? Do you need high availability (more than 1 device and automatic failover)?

Review Cisco Networking for a $25 gift card