katredrum
asked on
Cisco 2800 & ASA 5510 Routing Question
Hello Experts,
I have a Cisco 2800 router currently in production that is doing the routing of all VLANs and is also the gateway of our network. We are preparing for a network upgrade and the company has purchased ASA 5510.
Since the 2800 serves as our T1 Internet Gateway and our bandwidth upgrade will have a RJ-45 drop and that ASA is new to me, I'm trying to co-deploy it until the day we will switch over from T1 to RJ-45. I am re-configuring all VLANs to be routed by the ASA (I'm currently only testing non-production VLANs) but don't know how to send Internet traffic to the 2800 for Internet access.
The goal in the end is to have everything configured on the ASA prior to the switch and just have to change routing the Internet traffic from the 2800 to the new ISP.
Is this possible to do? Has anyone done this? Can anyone recommend any other way to do this?
I have a Cisco 2800 router currently in production that is doing the routing of all VLANs and is also the gateway of our network. We are preparing for a network upgrade and the company has purchased ASA 5510.
Since the 2800 serves as our T1 Internet Gateway and our bandwidth upgrade will have a RJ-45 drop and that ASA is new to me, I'm trying to co-deploy it until the day we will switch over from T1 to RJ-45. I am re-configuring all VLANs to be routed by the ASA (I'm currently only testing non-production VLANs) but don't know how to send Internet traffic to the 2800 for Internet access.
The goal in the end is to have everything configured on the ASA prior to the switch and just have to change routing the Internet traffic from the 2800 to the new ISP.
Is this possible to do? Has anyone done this? Can anyone recommend any other way to do this?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If all of your users were running Appletalk on OS9 or earlier, I might split it as you have it, but as long as you're running on switched 100mb Ethernet instead of using 10base2 or 10baseT on hubs:-) you should have no issues with a single "internal" VLAN
Before doing this, you could attach a computer running wireshark to a network port and monitor the amount of broadcast traffic, my guess is that it would be measured in single digit kbps.
With modern servers, you should be able to consolidate your servers. I've consolidated many small servers into file server clusters with better availability and performance for everyone. Several of these have been for companies with high levels of users working on multi gigabyte artwork files and did this for less than the cost of replacing all of the individual servers when they reached their replacement point, the power consumption and electricity bill can also be a driver for doing this.
The exception might be HR or Finance, but I would only usually split them out if their IT was managed by dedicated HR or Finance IT department, for a company where I presume you manage all of it, I would quite happily put it all on one (clustered) server, or with 2k8 r2, two servers with DFS, one with Intel and one with AMD for even more redundancy.
I would keep the phone system on its own VLAN, but this could be terminated on the ASA as the traffic volume should be relatively small and you can also use it to restrict access to only required hosts.
Instead of using the 2800 at the remote office I would get an ASA5505, the NAT and ACL configuration is much simpler and you keep to a common platform with identical setup etc.
I moved one company that had grown through acquisition from three small offices into one large one, they were 300 people, and with gigabit to the desktop switches I put in a single VLAN and a new file server, two of the companies had already had gigabit and were pleasantly surprised when the new infrastructure was faster...
In short, divide up a network when you _need_ to, but try your best not to need to :-)
Before doing this, you could attach a computer running wireshark to a network port and monitor the amount of broadcast traffic, my guess is that it would be measured in single digit kbps.
With modern servers, you should be able to consolidate your servers. I've consolidated many small servers into file server clusters with better availability and performance for everyone. Several of these have been for companies with high levels of users working on multi gigabyte artwork files and did this for less than the cost of replacing all of the individual servers when they reached their replacement point, the power consumption and electricity bill can also be a driver for doing this.
The exception might be HR or Finance, but I would only usually split them out if their IT was managed by dedicated HR or Finance IT department, for a company where I presume you manage all of it, I would quite happily put it all on one (clustered) server, or with 2k8 r2, two servers with DFS, one with Intel and one with AMD for even more redundancy.
I would keep the phone system on its own VLAN, but this could be terminated on the ASA as the traffic volume should be relatively small and you can also use it to restrict access to only required hosts.
Instead of using the 2800 at the remote office I would get an ASA5505, the NAT and ACL configuration is much simpler and you keep to a common platform with identical setup etc.
I moved one company that had grown through acquisition from three small offices into one large one, they were 300 people, and with gigabit to the desktop switches I put in a single VLAN and a new file server, two of the companies had already had gigabit and were pleasantly surprised when the new infrastructure was faster...
In short, divide up a network when you _need_ to, but try your best not to need to :-)
ASKER
Thanks for the suggestions! I wanted to go back to my original question. Is there a way I can have users behind the ASA access the Internet via the 2800? How would I do it and what command(s) would I have to put on my ASA?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Arne,
I don't quite understand.
On the 2800, if I disable NAT how would my users access the Internet? The 2800 still holds the path to the Internet via WIC T1.
I apologize I'm still new to the ASA and don't really know how create a dynamic NAT rule.
INTERNET ---- 2800 ---- ASA ---- VLAN8
I'm trying to to have users in VLAN8 to access the Internet via 2800.
Is your instructions for what I'm trying to do?
I don't quite understand.
On the 2800, if I disable NAT how would my users access the Internet? The 2800 still holds the path to the Internet via WIC T1.
I apologize I'm still new to the ASA and don't really know how create a dynamic NAT rule.
INTERNET ---- 2800 ---- ASA ---- VLAN8
I'm trying to to have users in VLAN8 to access the Internet via 2800.
Is your instructions for what I'm trying to do?
your current config
2800 - main vlan
- other vlan
to
2800 - main vlan - ASA (running NAT)
- second vlan
or
Internet - ASA (running NAT) - main VLAN - 2800 - second VLAN
the router then acts as an internal only router and doesn't need NAT.
Although the ASA can run routing protocols this is more to to determine what route to send a packet to, but it isn't a router...
2800 - main vlan
- other vlan
to
2800 - main vlan - ASA (running NAT)
- second vlan
or
Internet - ASA (running NAT) - main VLAN - 2800 - second VLAN
the router then acts as an internal only router and doesn't need NAT.
Although the ASA can run routing protocols this is more to to determine what route to send a packet to, but it isn't a router...
ASKER
current config and ultimately wanting to do...
Internet - 2800 - ASA - VLANs
I need to allow users behind the ASA to access the internet via the 2800's T1
Internet - 2800 - ASA - VLANs
I need to allow users behind the ASA to access the internet via the 2800's T1
Presumably you are running NAT on the 2800.
Presumably, you have a single public address on the T1 side of the 2800 and a block of addresses that you are using for NAT.
You could remove NAT from the 2800, use one of the addresses for its "internal" interface and use the rest on the ASA. This would mean either moving to a flat LAN, or using the ASA for communicating between VLANS.
When you new connection is activated, you simply add configure it on the ASA and modify the NAT rules and routing on the ASA.
Presumably, you have a single public address on the T1 side of the 2800 and a block of addresses that you are using for NAT.
You could remove NAT from the 2800, use one of the addresses for its "internal" interface and use the rest on the ASA. This would mean either moving to a flat LAN, or using the ASA for communicating between VLANS.
When you new connection is activated, you simply add configure it on the ASA and modify the NAT rules and routing on the ASA.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hitsotntd,
Thank you for doing this. Instead of the public IP addresses between the 2800 and ASA, could I use private IP addresses? Just wondering why it would have to be a public IP address. I will try this as soon as I can.
Thank you for doing this. Instead of the public IP addresses between the 2800 and ASA, could I use private IP addresses? Just wondering why it would have to be a public IP address. I will try this as soon as I can.
Yes absolutely, just make sure the routes point to the correct interface.
ASKER
okay i've tried this and unable to get out from a workstation in VLAN8.
My 2800 interface is configured as 10.50.1.2/24
My ASA outside interface is configured as 10.50.1.1/24
I've set the default routes on the ASA as:
route OUTSIDE 0.0.0.0 0.0.0.0 10.50.1.2
The workstations can ping the internal interface but cannot go beyond that. Any ideas?
My 2800 interface is configured as 10.50.1.2/24
My ASA outside interface is configured as 10.50.1.1/24
I've set the default routes on the ASA as:
route OUTSIDE 0.0.0.0 0.0.0.0 10.50.1.2
The workstations can ping the internal interface but cannot go beyond that. Any ideas?
Can the asa ping the 2800 interface?
Can the workstation ping the outside interface of the ASA?
Can the 2800 ping the outside interface of the asa?
Does the 2800 have a route back to the VLAN8? This is prob the issue.
2800 route should say something like, ip route (VLAN 8 network) 10.50.1.1 255.255.255.0
Can the workstation ping the outside interface of the ASA?
Can the 2800 ping the outside interface of the asa?
Does the 2800 have a route back to the VLAN8? This is prob the issue.
2800 route should say something like, ip route (VLAN 8 network) 10.50.1.1 255.255.255.0
Also, you can run the command "show xlate" and this will tell you exactly what the internal vlan8 ip address is being NATed/translated too.
ASKER
From my workstation, I cannot ping the outside of my ASA (10.50.1.1).
From the ASA, I can ping the outside interface (10.50.1.1) and inside interface (192.168.0.1) of the ASA. I can also ping the internal interface (10.50.1.2) of the 2800 but not the public interface.
When I run the "show xlate" command it returns "0 in use, 0 most used"
From the 2800, I can ping all interfaces on the 2800 as well as the outside interface of the ASA (10.50.1.1) and the inside interface of the ASA (192.168.0.1).
From the ASA, I can ping the outside interface (10.50.1.1) and inside interface (192.168.0.1) of the ASA. I can also ping the internal interface (10.50.1.2) of the 2800 but not the public interface.
When I run the "show xlate" command it returns "0 in use, 0 most used"
From the 2800, I can ping all interfaces on the 2800 as well as the outside interface of the ASA (10.50.1.1) and the inside interface of the ASA (192.168.0.1).
ASKER
Seems like traffic is not getting past the ASA's default route as it is not showing up with anything with the "show xlate" command. Any other ideas?
oh and btw, Mightysampson is me too, I messed up on my username and wanted to change it.
Ok, so you said that the 2800 can ping the inside interface of the ASA? If you have the cabling like we think, you should not be able to ping the inside interface from the 2800 unless you have an ACL allowing it.
Does your workstation have a default gateway of 192.168.0.1?
Can your workstation ping the inside ip address of 192.168.0.1?
Would you mind showing me your the output on the ASA from the following commands? You can X.X any info you don't want me to view. I should be able to get this running pretty quick with seeing these outputs.
Show run access-list
show run access-group
show run nat
show run static
show run interface
show route
Also, how bout these output on the 2800?
show ip int bri
show ip route
Does your workstation have a default gateway of 192.168.0.1?
Can your workstation ping the inside ip address of 192.168.0.1?
Would you mind showing me your the output on the ASA from the following commands? You can X.X any info you don't want me to view. I should be able to get this running pretty quick with seeing these outputs.
Show run access-list
show run access-group
show run nat
show run static
show run interface
show route
Also, how bout these output on the 2800?
show ip int bri
show ip route
ASKER
Workstation does have the default gateway as 192.168.0.1 AND can ping it.
On the ASA
Show run access-list:
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
Show run access-group:
null
Show run nat:
null
show run static:
null
show run interface:
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 10.50.1.1 255.255.255.0
!
interface Ethernet0/1
nameif INSIDE
security-level 100
ip address 192.168.0.1 255.255.255.0
!
show route:
route OUTSIDE 0.0.0.0 255.255.255.255 10.50.1.2 1
route INSIDE 192.168.1.0 255.255.255.0 192.168.1.1 1
On the 2800
show ip int bri:
FastEthernet0/0.50 10.50.1.2 Yes manual up up
Serial0/0 Public IP Yes NVRAM up up
show ip route:
C 10.50.1.0 is directly connected, FastEthernet0/0.50
S 192.168.0.0/24 [1/0] via 10.50.1.1
S* 0.0.0.0/0 [1/0] via public ip
On the ASA
Show run access-list:
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
Show run access-group:
null
Show run nat:
null
show run static:
null
show run interface:
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 10.50.1.1 255.255.255.0
!
interface Ethernet0/1
nameif INSIDE
security-level 100
ip address 192.168.0.1 255.255.255.0
!
show route:
route OUTSIDE 0.0.0.0 255.255.255.255 10.50.1.2 1
route INSIDE 192.168.1.0 255.255.255.0 192.168.1.1 1
On the 2800
show ip int bri:
FastEthernet0/0.50 10.50.1.2 Yes manual up up
Serial0/0 Public IP Yes NVRAM up up
show ip route:
C 10.50.1.0 is directly connected, FastEthernet0/0.50
S 192.168.0.0/24 [1/0] via 10.50.1.1
S* 0.0.0.0/0 [1/0] via public ip
Well I do see some needed commands,
1. You have no access-group binding your access-list to an interface. The example below is binding the access-list global_mp to the inbound traffic on the outside interface. Do not input this command unless your absolutely sure you want to. Your current access-list is permitting any TCP traffic to which ever machines are in the object group "DM_INLINE_TCP_1". If you want something to access something from the outside you will use the below access-group and the ACL named "global_mp" to make that happen.
1a. access-group global_mp in interface outside
2. There is no NAT configured. Below are the commands to enter.
2a. nat (inside) 1 192.168.0.0 255.255.255.0
global (outside) 1 {public ip range}
3. Testing
3a. Try pinging 8.8.8.8 from the 2800.
3b. Try pinging 8.8.8.8 from workstation
3c. enter "show xlate" in ASA to see the NATed internal to the external.
Other then those everything looks good to me. You have all the routing correct. All interfaces are configured correctly. I am sure all you needed was the NATing configured.
Still not sure why you would be able to ping the inside address from the 2800.
Samp
1. You have no access-group binding your access-list to an interface. The example below is binding the access-list global_mp to the inbound traffic on the outside interface. Do not input this command unless your absolutely sure you want to. Your current access-list is permitting any TCP traffic to which ever machines are in the object group "DM_INLINE_TCP_1". If you want something to access something from the outside you will use the below access-group and the ACL named "global_mp" to make that happen.
1a. access-group global_mp in interface outside
2. There is no NAT configured. Below are the commands to enter.
2a. nat (inside) 1 192.168.0.0 255.255.255.0
global (outside) 1 {public ip range}
3. Testing
3a. Try pinging 8.8.8.8 from the 2800.
3b. Try pinging 8.8.8.8 from workstation
3c. enter "show xlate" in ASA to see the NATed internal to the external.
Other then those everything looks good to me. You have all the routing correct. All interfaces are configured correctly. I am sure all you needed was the NATing configured.
Still not sure why you would be able to ping the inside address from the 2800.
Samp
ASKER
Okay not sure if I need option 1.
I did the 2a command. Question on 2a. global public IP. Is this the IP address of my 2800's WAN interface?
3. Testing results:
3a. OK
3b. No reply
3c. Global 192.168.0.3 Local 192.168.0.3
Workstation still cannot ping 8.8.8.8.
Thanks for all the help. I'm still trying without any success.
I did the 2a command. Question on 2a. global public IP. Is this the IP address of my 2800's WAN interface?
3. Testing results:
3a. OK
3b. No reply
3c. Global 192.168.0.3 Local 192.168.0.3
Workstation still cannot ping 8.8.8.8.
Thanks for all the help. I'm still trying without any success.
No problem at all. We will get this up and running. We are almost there.
Global public IP address is going to be the same range as the serial 0/0 on the 2800.
Global public IP address is going to be the same range as the serial 0/0 on the 2800.
FYI, it doesn't have to be a range, it can be just 1 public address. Here is an example for a one IP address and a range.
{Many to ONE NAT}
nat (inside) 1 192.168.0.0 255.255.255.0
global (outside) 1 69.85.58.68 255.255.255.255
{Many to Many NAT}
nat (inside) 1 192.168.0.0 255.255.255.0
global (outside) 1 69.85.58.0 255.255.255.0
{Many to ONE NAT}
nat (inside) 1 192.168.0.0 255.255.255.0
global (outside) 1 69.85.58.68 255.255.255.255
{Many to Many NAT}
nat (inside) 1 192.168.0.0 255.255.255.0
global (outside) 1 69.85.58.0 255.255.255.0
ASKER
Okay I configured the global (outside) with the correct public IP and still no luck.
Am I supposed to be able to ping 8.8.8.8 from the ASA because I am not able to. Also on the 2800 I have "IP NAT Outside" command on the S0/0 interface. Wondering if this is preventing traffic coming back into the network. I also have an access-list that is currently configured to allow traffic back in. Would I need to add the 192.168.0.0 network to be allowed back in from the internet?
Am I supposed to be able to ping 8.8.8.8 from the ASA because I am not able to. Also on the 2800 I have "IP NAT Outside" command on the S0/0 interface. Wondering if this is preventing traffic coming back into the network. I also have an access-list that is currently configured to allow traffic back in. Would I need to add the 192.168.0.0 network to be allowed back in from the internet?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here is what my Serial0/0 is configured as...it's complex because I have production still behind the current router and I'm trying to add the ASA behind it concurrently. Please let me know if I cannot do this and if I have to take everyone off the 2800 and put it behind the ASA in order for this to work. Here is my WAN interface config:
interface Serial0/0
description WAN Interface
ip address PUBLICIP 255.255.255.252
ip access-group 111 in
ip access-group BLOCK_CS out
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip inspect CBAC_OUT out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
crypto map SDM_CMAP_1
interface Serial0/0
description WAN Interface
ip address PUBLICIP 255.255.255.252
ip access-group 111 in
ip access-group BLOCK_CS out
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip inspect CBAC_OUT out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
crypto map SDM_CMAP_1
ASKER
In the above config, I did take out the command ip nat outside but only do this when I test the workstation trying to ping 8.8.8.8.
Let me lab this up. I will get back to you on what will need to be done soon. I will then provide you with configs to be entered.
When you test, what are you getting with the "show xlate" command?
Is your public address on S0/0 the only external address you have?
Also, can you provide me with the access-list you have on the s0/0 interface?
When you test, what are you getting with the "show xlate" command?
Is your public address on S0/0 the only external address you have?
Also, can you provide me with the access-list you have on the s0/0 interface?
ASKER
On the ASA, show xlate:
2 in use, 2 most used
Global 192.168.0.2 Local 192.168.0.2
Global 192.168.0.3 Local 192.168.0.3
Actually I have a secondary public IP address but didn't think it would affect. Here it is anyway:
ip address PUBLICIP 255.255.255.248 secondary (I believe the ISP have created a static route on their end)
Access-list 111 is:
Extended IP access list 111
10 permit tcp host X.X.X.X host PUBLICIP eq smtp
20 permit tcp any host PUBLICIP eq www
30 permit tcp any host PUBLICIP eq 443
60 permit udp any host PUBLICIP eq domain
70 permit ahp any host PUBLICIP
80 permit esp any host PUBLICIP
90 permit udp any host PUBLICIP eq isakmp
100 permit udp any host PUBLICIP eq non500-isakmp
110 permit icmp any host PUBLICIP echo-reply
120 permit icmp any host PUBLICIP time-exceeded
130 permit icmp any host PUBLICIP unreachable
140 deny ip 10.0.0.0 0.255.255.255 any log-input
150 deny ip 172.16.0.0 0.15.255.255 any log-input
160 deny ip 192.168.0.0 0.0.255.255 any log-input
170 deny ip 127.0.0.0 0.255.255.255 any log-input
180 deny ip host 255.255.255.255 any log-input
190 deny ip host 0.0.0.0 any log-input
200 deny ip any any log-input
2 in use, 2 most used
Global 192.168.0.2 Local 192.168.0.2
Global 192.168.0.3 Local 192.168.0.3
Actually I have a secondary public IP address but didn't think it would affect. Here it is anyway:
ip address PUBLICIP 255.255.255.248 secondary (I believe the ISP have created a static route on their end)
Access-list 111 is:
Extended IP access list 111
10 permit tcp host X.X.X.X host PUBLICIP eq smtp
20 permit tcp any host PUBLICIP eq www
30 permit tcp any host PUBLICIP eq 443
60 permit udp any host PUBLICIP eq domain
70 permit ahp any host PUBLICIP
80 permit esp any host PUBLICIP
90 permit udp any host PUBLICIP eq isakmp
100 permit udp any host PUBLICIP eq non500-isakmp
110 permit icmp any host PUBLICIP echo-reply
120 permit icmp any host PUBLICIP time-exceeded
130 permit icmp any host PUBLICIP unreachable
140 deny ip 10.0.0.0 0.255.255.255 any log-input
150 deny ip 172.16.0.0 0.15.255.255 any log-input
160 deny ip 192.168.0.0 0.0.255.255 any log-input
170 deny ip 127.0.0.0 0.255.255.255 any log-input
180 deny ip host 255.255.255.255 any log-input
190 deny ip host 0.0.0.0 any log-input
200 deny ip any any log-input
I completed the lab and you are not going to be able to have your topology the way it currently is.
You would need to turn off the inspection on your 2800 for the traffic to flow as expected.
You will probably want to setup a separate topology for testing your new ASA. You can do this by setting up the ASA's outside interface with an ip address in your external range. Then you could put a switch between your ISP device and the 2800. (this will require down time) With the switch in place, you could have both the ASA and the 2800 connected to the switch and communicating to the ISP and test freely on the ASA.
The end result is, the ASA will replace the 2800 as the firewall/inspection device and the 2800 will be your edge/peering device.
Samp
You would need to turn off the inspection on your 2800 for the traffic to flow as expected.
You will probably want to setup a separate topology for testing your new ASA. You can do this by setting up the ASA's outside interface with an ip address in your external range. Then you could put a switch between your ISP device and the 2800. (this will require down time) With the switch in place, you could have both the ASA and the 2800 connected to the switch and communicating to the ISP and test freely on the ASA.
The end result is, the ASA will replace the 2800 as the firewall/inspection device and the 2800 will be your edge/peering device.
Samp
Any progress?
Yup, ArneLovius stated the correct answer from the very beginning. He should get the points.
ASKER
Thanks for all your assistance. I will end up changing the config on the 2800 when we change ISPs. I cannot do it now but will use the info from this thread to get it working. Thanks again!
ASKER
I hope my scenario is not like the one you had two years ago. My network is divided by departments using VLANs to make the broadcast domain smaller. By doing this, it actually helped speed up user experience. We also have about the same users and devices...approx 60 users, 8 servers, and 8 printers.
Here is my VLAN configuration:
VLAN1 = common resources (Domain Controllers, Internet, Printers, router/switch management, email server)
VLAN2 = VPN Users
VLAN3 = Professionals
VLAN4 = Accounting/Admin
VLAN5 = Telephone
I did this because users in their own respective VLAN would not congest other departments as they typically access their own server placed in their own VLAN. The only time users need inter-VLAN routing is when they access the Internet, authenticating with AD, needing DNS request, DHCP, print and email which are all on VLAN1.
I really like your idea to keep the 2800 as my inter-VLAN router and use the ASA as a firewall but I was planning to take the 2800 and move it to our branch office for site-to-site VPN with the ASA.
So in your opinion, if I plan to use only the ASA as our router/firewall, should I consolidate my VLANs into 3 instead of 5? I could put the Common Resources (VLAN1), VPN Users (VLAN2) and the Professionals (VLAN3) together because they make most of the workforce and keeping Accounting/Admin (VLAN4) and Telephone (VLAN5) separate giving me 3 VLANs.
This reminds me though that the reason I kept the Exchange Server on its own VLAN (1) was to keep users traffic from VLAN4 separate from VLAN3. My main goal was to ensure the Professionals (VLAN3) had the quickest access to all resources. Taking everyone else off was why I divided them into separate VLANs. Question now is...would it be less intrusive for my Professionals (VLAN3) if...
-Everyone was put into the same VLAN sharing a larger broadcast domain,
-Keeping the VLANs how it is making the ASA route Inter-VLAN traffic,
-Consolidating VLAN1, 2 & 3 making the fastest access but having VLAN4 traffic share resources
I guess it all boils down to what is quicker, Inter-VLAN routing or having to share a larger broadcast domain. Can you give me your opinion on which is the better choice?