Design - Layer 3 to the access switches

Unanswered Question

We are implementing a new layer 3 design and I am somewhat confused on how/where the FWSM's, ASA's, WISM's, IDSM's, NAM's should be placed. If we are truely only routed and can no longer extend vlan's, what is the best method to contain devices into the DMZ? Also, where would you span ports for the NAM's and IDSM's?

Thanks,

Greg

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sbilgi Mon, 06/04/2007 - 08:54

To allow Layer 3 switching, the switch must have the routing function enabled and Layer 3 switching is the movement of data between devices using tables or pathways containing Layer 3 network addressing.

I am sending Frequently Asked Questions (FAQ) on the Quality of Service (QoS) features of the L3 switches. Please click following link:

http://www.cisco.com/en/US/products/hw/switches/ps672/products_qanda_item09186a00800a8922.shtml

Jon Marshall Mon, 06/04/2007 - 09:24

Greg

I can answer part of your question re the placement of the FWSM and i suspect this might also be relevant to the IDS as well.

If you go for a routed access-layer then the FWSM may not have visibility of all the vlans you may want to firewall. This would certainly become an issue if you wanted to use the FWSM in transparent mode. We went through the same decision making when we redesigned our main data centre.

L3 access-layer allows you to remove spanning-tree from the uplinks with equal cost routing and is an attractive feature. But it also meant we would have to buy a pair of FWSM's and CSM's (as we run in bridge mode) per access-layer pair to get l2 adjacency. This was one of the key factors that led us to use L2 uplinks with Rapid STP but obviously in your case you may not deem that suitable.

Hope this has helped at least partially

Jon

Actions

This Discussion