My question here is regarding my connection from distro switches to ASA. Is it better to have a layer 3 port from my distribution switches 1 and 2 and have them connected to my ASA or make a layer 3 vlan on distribution and connect it to a sub interface on ASA? I suppose for future growth the layer 3 SVI would make sense. Any thoughts on this? I’m currently using a layer 3 port connected to my ASA.
This is a great question, and it’s not only confined to ASA network design either. This question could be raised concerning an edge router connected to distribution switches as well.
Both scenarios that you describe are doable, but there is a third option which I would prefer: Create an SVI on say, VLAN 10 on the distribution switches and connect a VLAN 10 access port (layer 2 port) of the distribution switch to the ASA without any subinterfaces. This way, interVLAN routing can take place only within the distribution layer and you don’t have to worry about tagging on the connection to the ASA.
If however you want to use one of the two options you mentioned, I’d prefer the layer 3 port on the distribution switch. Subinterfaces should be avoided if at all possible as they would require the ASA to perform routing between the associated subnets. Any required routing should be limited to interVLAN routing on a layer 3 switch or to a dedicated edge router. ASAs can route, however, their resources should be provisioned more towards doing what a firewall does best: security.
As for future growth, if you add more VLANs to a network, by avoiding subinterfaces, it would actually be easier to scale since it would only require the addition of VLANs to the distribution switches. The ASA configs would not need to be changed.
Great, thanks Laz! I ended up going with the SVI and access port on the distro switch and directly connected it to the ASA. For my secondary distro, I would create the same SVI, make an access port and connect it over to my secondary ASA’s inside interface?
For the secondary connection, you would require a separate subnet (since each interface of the ASA has to be on a different subnet) and hence a separate VLAN and separate SVI. But the logic is the same yes.
This response doesn’t make any sense at all. Your layer 3 interface should always be on the firewall. If you bring an SVI out on a distribution switch, you then start questioning the gateway for the subnet. If you imply that it should then become the switch, then any traffic going between subnets does not hit the firewall. This means, if you have say a VLAN for databases, a VLAN for AD, a VLAN for Web servers: then all traffic between these servers is not filtered. That is terrible. As I said, your L3 interfaces go on the firewall, and your switches only should be doing layer 2 switching. If one server gets hacked then, you don’t risk losing every other server in the network. I work in ISO 27001, PCI compliant networks. If we did what lagapides suggested, we’d instantly lose that status.
Thanks for your response and your constructive criticism. You’re absolutely right.
The solution you choose all depends on what your priority is concerning the use of the firewall. If the firewall is used just as a filter for the edge of your network and you don’t require inter-subnet filtering (generally the case on smaller networks), then you could alleviate the ASA from the routing functionality by routing within the network rather than on the ASA edge. Also, the question (from my understanding) dealt not with datacentres, servers etc, but end users on distribution switches. Of course servers would be placed in a DMZ allowing filtering between end users and servers but this was not mentioned in the solution. I should have been clearer.
On larger networks, where inter-subnet filtering even between user groups is necessary, and ISO compliance is required, then yes, multiple DMZs and internal should be implemented with multiple subnets and some routing should be implemented by the firewall. However, the most intensive routing should still be taken care of by layer 3 core switches/routers and not the ASA. This can be seen in Cisco’s Enterprise Internet Edge documentation and recommendations.
Ultimately, the point of my post was to state that Cisco’s best practices indicate that the ASA should not be used for the bulk of routing. This should be done by the core layer (or the collapsed distribution/core layer in a 2-tier hierarchy) and not by the ASA. Because however I am not familiar with ISO requirements, if they are stricter than those of Cisco, then by all means, they should be implemented if they are required.