We have a number of branch offices consisting of one or more 2960 series switches and a 55xx series firewall. The switches are usually stacked, and have at least IP Base feature sets.
In most offices, the switches are setup to route, with VLAN interfaces that act as default gateways for the local VLANs. The ASA then has a separate IP address on the inside interface connected to the switches, and packets are routed from the VLAN interfaces on the switches to the inside interface. From there, it’s either NAT out to the internet, or site-to-site VPN back to one of the main sites.
We are about to setup a new branch office, with the same 2960 & ASA setup, and I wanted to get some advice on recommended setups.
- Should we stick with what we have now? I like having the switches
take some of the routing load, particularly for local destinations,
however this setup seems a little messy, and the separate IP address
on the inside interface requires workarounds for certain things
(such as NAT). - Should we have the ASA handle routing, setup use a
trunk link from the switches to the ASA, then sub-interfaces on the
inside interface of the ASA for each VLAN (I believe we can also
setup Etherchannel for this setup as per
http://www.amirmontazeri.com/?p=18). - Finally, is it possible to
trunk the VLANs to the ASA, have the inside interface as switched
port, and have routing handled on the ASA by VLAN interfaces? I’m
sure I’ve seen this example in early CCNA-S security days, however
I’m not sure if it’s still possible/current/recommended.
Edit:
Thanks for the response and your insightful feedback. The points about letting the switch handle local routing makes sense, are something I'd thought about a bit already, and would be good to maintain.
Two follow-up questions:
First of all, we have various VLANs defined locally for user, server, management, printers, corporate and guest WiFi, etc. If we did keep the existing option with the L3 switches handling routing, and the firewall acting as a next routing hop, what network segment would we assign the IP address of the inside interface on the firewall (and in turn this next routing hop)? Would it be best to subnet one of the existing network segments/VLANs (say, the manegement network, as a /24 subnet this doesn't need 254 addresses), and create a new segment for the firewall IP?
Second of all, if we did stick with the switches handling routing, would there be any way to have an etherchannel setup from the switches to the firewall? From the firewall side, we can configure L3 etherchannel, however can I have the firewall side of that L3 (inside interface of the firewall, the next routing hop), with the other end L2, configured as a trunk with whatever VLANs I wanted to allow external to the network? I should also add, the switches will be stacked.
Best Answer
This question is kind of opinion-based, but I'll take a crack-
1.) The design you have is fine. Unless there's some kind of compelling functional problem I wouldn't change it just for the sake of changing it. If anything I tend to see folks moving from the design you're asking about to what you have now.
2.) In general I tend to think it makes a lot of sense to the let the switches handle any kind of local routing. It has a bunch of advantages - better performance for local traffic, separation of configuration/fault domains (FW issue doesn't cause everything to die, local issues within a subnet don't hit the firewall) and the ability to add additional firewalls/gateways to provide redundancy/traffic controls without changing end-host configurations or local site policies.
3.) It's possible to trunk the VLAN's directly to the firewall but I don't think it's a better design. You're trading the determinism, scalability and clean fault tolerance of an L3 design for one where you'll need to engineer all of this at L2. Along similar lines you can run a aggregated link (i.e. etherchannel) into the ASA but with those 2960's you'll end up with all of the connectivity run through a single switch.