kimberly

many thanks for taking an interest in my query

the subinterfaces will be on the outside and will connect two 24 port switches (i'm running an asa cluster) so i'll patch one firewall to one switch and the other firewall to the other switch

i'll run rapid spanning tree on both switches and then interconnect them using two ports on each which i'll trunk

i'll also trunk the port on each switch to the asa and then create the relevant vlans on the switch

if i create an interface gi0/0.40, gi0/0.50 and int gi0/0.60 then the vlans on the switch will be VLAN40, VLAN50 & VLAN60 so the tags match

the subinterfaces and vlans will connect various 3rd party organisations into my enterprise over the usual ports/applications, i.e. smtp, http, https, dns etc

your question about what the interfaces will be used for raises a question for me

on the juniper i can assign each subinterface to a 'zone' of its own - on the asa i'll be treating all those on the other end of the subinterfaces as untrusted and therefore with a security level 100

i'm keen to hear what the gotchas are particularly as i want my solution to be scalable

thanks again

When oh when will the ASA support PBR, probably the one thing in terms of missing features that comes up more than anything for this device

No Kidding Jon....but then again I am one who firmly beleaves that switches should switch, firewalls should firewall, and routers do the routing! 

But hey, that must mean I am a little old school!!!!  LOL

Kimberly

Nobody call me, but I must say that I agree with the PBR enhancement on the ASAs, howcome is not possible yet?

It will definitely simplify a lot of things ;-)

Federico.

kadams@gbrx.com
No Kidding Jon....but then again I am one who firmly beleaves that switches should switch, firewalls should firewall, and routers do the routing!  
But hey, that must mean I am a little old school!!!!  LOL
Kimberly

Kimberly

I actually agree with your sentiments although it does beg the question what do you do with a L3 switch

But yes, i think the ASA should stick to what it does best which is firewalling. I just think with redundancy being so important these days PBR would a good addition to it's functionality because more and more companies are getting redundant connections to their ISP or multiple ISPs and to have to buy a router just for PBR seems a bit harsh.

To the OP, apologies for hijacking the thread. I have used subinterfaces on pix/asa firewalls and have not seen any particular gotchas so as Kimberly says you should be fine with what you are planning to do.

Federico, perhaps we should start a petition to get PBR added to the ASA

Jon

I agree with you both.

We should not have a single device doing everything, and we cannot continue with only limited features on each device either :-)

I would see what I can do with the ASAs on this matter ;-) jeje (don't expect much improvement)

Federico.

kimberly, jon, frederico

many thanks for your kindness and patience

i think i'll go ahead with using the subinterfaces as my only alternative is to put a router with greater port density (2811) in front of the asa

as i said i've done with with junipers before and its quite easy so all being well the asa should straightforward

thanks again folks

Jon,

On ocasion I will enable routing on a L3 switch, but I think it is ridiculous when someone enables routing on every L3 switch in an environment!  Routing tables get a little big and then why have a router in there other then to terminate a circuit.  L3 switches don't do PBR well either unless you use one of the switchports with the no switchport command and then you cannot use it as a switchport.  This is just one of my little pet peeves.....but what can you do?  The ASA5500 series do make very good firewalls and concentrators and yes some PBR would be nice but I still prefer to have my routers do my routing because they do it so good!

But hey, this is just a me thing!!!   

Kimberly