I'm currently re-designing our network. We have a core-accesslayer design with a asa fw.
We have need a couple of VLANs, 2 different internet connections, 1 based on destination address and 1 for all of the other traffic. And a DMZ.
The consideration is where to put high speed switching/routing.
In the current design we have the following situation:
ISP router -> ASA, with DMZ -> Core layer -> access layer.
I have placed all the VLAN gateways in the ASA, for the most of / easiest way of security.
All of the components are redundant.
My consideration is, normally you place the high speed switching/routing in the core layer, can this design give any performance problems?
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Possibly, assuming your core is a L3 switch, it may have better performance than your ASA. If you don't need ASA security for inter VLAN to VLAN traffic, having a core L3 switch perform that routing also unloads that routing from your ASA.
I agree with all of the comments above. I would like to add though, that the ASA will maintain connection states for all connections between vlans. Sometimes even within the same VLAN because of the ARP process. This will add unnecessary complexity to your traffic flow, and cause major headaches when it comes to troubleshooting your network.
Agree with Joe. In addition, if you do the routing at the core instead of the firewalls, you will have a smaller STP domain and so there is always less chance of loop if something goes wrong.
With my experience and what we have considered a mjor design factor with having ASA has gateway for all VLAN is the traffic per sec between Web,App and DB server communication.
No doubt in your design core is the layer where you shoudl have fast switching with routing.
But make sure you have ASA model which is bit mid or high end if your inter vlan traffic is more and very frequent. For these type of case we make l3 switch as gaetway and ASA for for certain restricted VLANs.
Hope it Helps..
Thnx to all! Apologize for the late reaction.
I have been thinking of this design for many hours.
I would like to set the gateways of the vlans in the core layer. But would like to have an easy way to maintain inter vlan security and would like the option to NAT the different vlans to different outside ip-addresses. On top of that we would like to integrate a DMZ with our vmware environment.
Let's pretend for a moment, that we could use "any" hardware available.
What would you guys suggest to use for design.
Thnx in ahead!