ciscosupp
asked on
Cisco ASA Network Design Question
Please see my attached network diagram.
As you can see my entire access layer switches (2960s) connect to my core (3850) via fiber 1Gbps.
The Cisco ASA connects via EtherChannel (5x1gbps) to my core switch.
All my routing is done on the cisco ASA with sub interfaces. I have about 15 vlans/sub interface on my ASA.
All traffic between vlans is controlled via ACL’s and IPS inspection.
My question is will this create a bottleneck on the firewall as my IPS throughput on Cisco ASA 5516x is 450 Mbps and all my servers are also in a separate vlan e.g. exchange server, file server, dc’s, proxy servers, SQL servers and all departments are in a vlan e.g. HR, Finance
Thanks
Network-Diagram.jpg
As you can see my entire access layer switches (2960s) connect to my core (3850) via fiber 1Gbps.
The Cisco ASA connects via EtherChannel (5x1gbps) to my core switch.
All my routing is done on the cisco ASA with sub interfaces. I have about 15 vlans/sub interface on my ASA.
All traffic between vlans is controlled via ACL’s and IPS inspection.
My question is will this create a bottleneck on the firewall as my IPS throughput on Cisco ASA 5516x is 450 Mbps and all my servers are also in a separate vlan e.g. exchange server, file server, dc’s, proxy servers, SQL servers and all departments are in a vlan e.g. HR, Finance
Thanks
Network-Diagram.jpg
ASKER
The reason I use ASA for inter-vlan routing is because all traffic between different vlans has to traverse the firewall which also provides service of IPS which can detect any malicious code in my internal network it will also prevent spreading of malicious code between different vlans.
Fair enough. However, I think that's over kill. This will put a lot of pressure on the ASA and will lower throughput and performance. You also have to be careful with IPS. There will be many false positives and there will be a tax on performance.
You can still control any malicious activity by using ACLs to control traffic between VLANs, if necessary, and other client-side software for detection (Sophos, Karspesky, etc.). Also, having servers, clients, and other devices in different VLANs will limit broadcast aspects of any malicious activity.
You could segregate part of the traffic (e.g. database servers) and have them pass thru the ASA, but I wouldn't have all traffic pass thru.
You can still control any malicious activity by using ACLs to control traffic between VLANs, if necessary, and other client-side software for detection (Sophos, Karspesky, etc.). Also, having servers, clients, and other devices in different VLANs will limit broadcast aspects of any malicious activity.
You could segregate part of the traffic (e.g. database servers) and have them pass thru the ASA, but I wouldn't have all traffic pass thru.
ASKER
Ok so basically I will put most critical servers behind ASA.
How much bandwidth does average network user actually need?
How much bandwidth does average network user actually need?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would let the 3850 be your site router and send all external bound traffic (e.g. Internet) to the ASA.
Having all inter-vlan traffic go up to the ASA and then come back down is inefficient and the ASA is not adding any value here. The 3850, however, is well suited for the job, and it can handle all the inter-vlan routing.
The 3850 can also handle any necessary ACLs for controlling traffic between VLANs.