Transit Network

Hi Rene,

What are the scenarios that we need to use transit network in our routings?
For example, I have a L3 connection between a core switch and a firewall, is the best practice to have a transit network between these devices or use one of their interfaces in the data plane?


Hello Kartika

There’s no single right or wrong answer to this question. I would have to say that you should apply routing wherever it is necessary for the specific topology that you want to employ. In your specific case, you can either connect the firewall to the core switch using a routed port, or you can connect it to an L2 port as part of a VLAN. There are several advantages and disadvantages to each.

By connecting to a routed port:

  • you are using more switch resources to route traffic to and from the firewall
  • you have more control over that traffic on the switch because you can apply access lists to it for example
  • you are alleviating the firewall from performing routing

By connecting to an L2 port:

  • the firewall must route traffic between that VLAN and other subnets
  • additional hosts can be placed on the same VLAN as that of the firewall port

Both are acceptable and have some minor pros and cons. Ultimately, what affects your decision most is the network topology. At the network edge, you don’t want the firewall performing a lot of routing, because it’s already burdened with security policies. Alternatively, a core switch is built for performing high-capacity routing and aggregation of many VLANs. So for your particular scenario, connecting the firewall to a routed port would probably be the better option.

Each situation is different, and must be evaluated individually.

I hope this has been helpful!


1 Like

Thank you Laz.
More questions on the transit network, could you give the scenarios where you would use transit network? and what is it recommended for?

Thank you.

Hello Kartika

Can you clarify what you mean when you say “transit network”? When you say transit network, my mind goes to something like this:

Can you give an example in order to clarify what you mean? Let us know!



what the difference between IXP and ISP ? what is the Tier 1 / Tier 2 / Tier 3 ISP ? why there is no TIER for IXP ?

Now what is PEERING and What is TRANSIT with reference to all of the above ?

Hello Surendra

I suggest you take a look at these NetworkLessons notes that will clarify your questions:

If you have any further questions, feel free to let us know!

I hope this has been helpful!


Thanks Laz

I am little bit off-track on the Changes that usually undergo in the networks Domain ?

What are the Scenarios in which the Network Changes Occur except for the HW failures which obviously have no choice but change.

Is this a frequent activity ? If yes what are the use Cases that drive the changes in the Network ongoing basis ?

And lastly how are the Systems get exposed to the Hackers due to changes in the Network Layout ? aka How System Vulnerabilities gets exposed to the hacker - Directly / Indirectly etc; because of these changes

Hello Surendra

When you talk about changes, do you mean within an enterprise network? Within the Internet itself? Or changes in general on networks? Such changes have different implications depending on the network on which they occur.

Changes to a network topology do indeed include hardware failures. However, there are other cases where changes may occur, and it depends upon your definition of a “change”.

  1. Incorrect routing configurations can cause a change in network traffic patterns resulting in routing loops, black holes, or lack of convergence.
  2. Layer 2 loops with incorrect STP configurations can cause network disruption.
  3. Physically changing the network topology with the addition or removal of devices can trigger a change in the network topology.
  4. Changing traffic patterns can make QoS mechanisms kick in, causing a change in the way traffic is buffered.
  5. You can configure scripting to change routing based on traffic patterns.

So you see, there are many situations in which a network change can occur, that affects how a network will operate.

Ideally, changes should be kept to a minimum. It is best for a network to maintain a stable state. That is the goal in any network design. However, the network must also be resilient, meaning it should be able to adapt to changes that may occur, as listed above, so that it keeps operating within normal parameters and users are not affected.

There is no one answer to this question. There are many different types of vulnerabilities that exist on a network, and it really depends upon many factors. Is there something more specific you had in mind?

I hope this has been helpful!