Cisco ASA Network Design Question

Please see my attached network diagram.

As you can see my entire access layer switches (2960s) connect to my core (3850) via fiber 1Gbps.
The Cisco ASA connects via EtherChannel (5x1gbps) to my core switch.

All my routing is done on the cisco ASA with sub interfaces. I have about 15 vlans/sub interface on my ASA.
All traffic between vlans is controlled via ACL’s and IPS inspection.

My question is will this create a bottleneck on the firewall as my IPS throughput on Cisco ASA  5516x is 450 Mbps and all my servers are also in a separate vlan e.g. exchange server, file server, dc’s, proxy servers, SQL  servers and all departments are in a vlan e.g. HR, Finance

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Is there a specific reason you are using the ASA for inter-vlan traffic?

I would let the 3850 be your site router and send all external bound traffic (e.g. Internet) to the ASA.

Having all inter-vlan traffic go up to the ASA and then come back down is inefficient and the ASA is not adding any value here. The 3850, however, is well suited for the job, and it can handle all the inter-vlan routing.

The 3850 can also handle any necessary ACLs for controlling traffic between VLANs.
ciscosuppAuthor Commented:
The reason I use  ASA for inter-vlan routing is because all traffic between different vlans has to traverse the firewall which also provides service of IPS which can detect any malicious code in my internal network it will also prevent spreading of malicious code between different vlans.
Fair enough. However, I think that's over kill. This will put a lot of pressure on the ASA and will lower throughput and performance. You also have to be careful with IPS. There will be many false positives and there will be a tax on performance.

You can still control any malicious activity by using ACLs to control traffic between VLANs, if necessary, and other client-side software for detection (Sophos, Karspesky, etc.). Also, having servers, clients, and other devices in different VLANs will limit broadcast aspects of any malicious activity.

You could segregate part of the traffic (e.g. database servers) and have them pass thru the ASA, but I wouldn't have all traffic pass thru.
ciscosuppAuthor Commented:
Ok so basically I will put most critical servers behind ASA.

How much bandwidth does average network user actually need?
I don't have a figure for actual traffic: it depends on file transfers (to/from file servers), email attachments, communication between workstations and AD, web traffic, etc. It could add up.

With the ASA another consideration would be to create "contexts" and separate inside/outside(Internet) traffic from inside/server traffic. Using "Contexts" is basically as if you curved up your ASA into two firewalls each with its own policy, ACLs, NATs, etc. Much cleaner. You will need to check your licenses for the 5516-x to see how many contexts are supported.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.