L3 VLANs Creation

Unanswered Question
May 28th, 2008
User Badges:


In my companies network L3 VLANs are configured on "Firewall" and I want to move it to "Core Switch". But my coluige is not supporting it, according to him all the VLANs should be on Firewall, he is saying that it is recomended, Please let me know which one is recomended and why? I would be thankful to you if you provide me any refrence regarding this.

Thanks in advance


Saleemuddin Mohammed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Wed, 05/28/2008 - 03:55
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


I am not sure that there is a clear answer that establishes one or the other approach as the best approach. And you may get suggestions on both sides. From my perspective I would think it was better to have the L3 VLANs configured on your core switch and to have the core switch do the inter VLAN routing and have the core switch forward to the firewall traffic going outside.

Your current implementation makes the firewall do work for inter VLAN traffic (traffic that originates and terminates inside of your network). Is the firewall actually screening that traffic? If so then there may be some reason to leave the VLANs on the firewall. But especially if the firewall is just forwarding the traffic then I would prefer to put that processing load on your core switch and let the firewall concentrate its efforts (and its processing capacity) on the traffic that it needs to screen.



engineer_msu Wed, 05/28/2008 - 04:36
User Badges:

Dear Rick,

Thanks for the reply... Dear can i have any refrence regarding this? or there is any sudession in CCDA or CCDP study guides?



glen.grant Wed, 05/28/2008 - 04:44
User Badges:
  • Purple, 4500 points or more

I would say your routing performance will be better if it is done on a L2/3 switch as most traffic is switched in hardware asics this is one plus for the switch route. As ric points out it really depends on your network layout and what the reason is for having to firewall all your traffic . If it is just as a gateway to say another segment or to the internet I wouldn't think all traffic has to be routed thru the firewall .


This Discussion