I often come across various configurations that achieve the same purpose and I always wonder which of these is best.
In a nutshell, say you have 2 VLANs to segregate with your ASA. What would be the pros and cons for these designs:
- 1 single physical port, vlan trunking and SVIs
- 2 physical ports, no trunking (access only) and direct IP addresses
- 2 physical ports, vlan trunking for each and associated SVIs
- 2 physical ports in etherchannel mode, SVIs for each VLAN
Are there explicit Cisco recommendations or things to avoid?
That’s a really good question! There are several advantages and disadvantages to these implementations. I describe some of these below. By no means are these exhaustive, but it’s a good starting point for you to research further:
– 1 single physical port, vlan trunking and SVIs
Using a single port will limit your bandwidth to that of one port since the traffic of both VLANs are sharing the total bandwidth of that port.
– 2 physical ports, no trunking (access only) and direct IP addresses
Here you are increasing your total bandwidth by splitting the traffic, one VLAN per port. Also, you are taxing the device’s CPU less since there is no tagging going on, although depending on the throughput, this may be negligible. However, if one VLAN is using 100% of the bandwidth and the other is using, say, 10%, there is no way to have the excess of one VLAN “overflow” into the available capacity of the other. Your 4th solution solves this…
– 2 physical ports, vlan trunking for each and associated SVIs
I’m assuming here you mean that each port is a trunk and is passing both VLANs. What will happen next depends on what’s on the other side of each connection. If these links both connect to the same switch, STP will kick in and only one of the two links will be “active” at any one time. You can always have STP per VLAN so one VLAN goes through one trunk and is blocked on the other, and the other VLAN is blocked on one and allowed on the other trunk, but then you’re back at your second solution with its limitations.
If however, each trunk connects to two different switches (and these don’t connect to each other, otherwise you’ll have the same STP problem) then both trunks will be forwarding traffic. However, depending on how many users you have on each of these other switches, you may or may not get an even distribution of traffic over your trunks.
– 2 physical ports in etherchannel mode, SVIs for each VLAN
This configuration will probably be the most efficient use of your bandwidth since you are sharing the total bandwidth of two ports between two VLANs. It’s like having your 1st solution but with a port that has double the bandwidth and with redundancy (if one link goes down, you still have the second one).
Thanks a lot for your answers, it does show that bandwidth considerations are key in this kind of choice.
Although I should admit that the 4th option also provides flexibility and is more future-proof in regards to new requirements that may arise (adding a new vlan, etc).