ASA 55xx - Layer 2 vs Layer 3 Best Practice?

Unanswered Question
May 30th, 2010
User Badges:

Depending on the person at TAC some recommend using only layer 2 and while others suggest using layer 3 when using the firewall in routed mode and not utilizing a router. So what does everyone think? Keep in mind the possibility of using VPN access due to hairpin issues.


Should you use a layer 3 switch, define the VLANS, turn on ip routing, and trunk to the firewall interface with VLAN subinterfaces? or


Use a layer 2 switch, define the VLANS, use ip default-gateway, and define static routes on the firewall?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Mon, 05/31/2010 - 03:18
User Badges:
  • Cisco Employee,

Since you would like to terminate VPN on the ASA, then you would need to go with Layer 3 (routed firewall), because Layer 2 (transparent firewall) does not support VPN termination.


Here are a list of things that are not supported on Layer 2 firewall for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/fwmode.html#wp1222823

(Table 4-1     Unsupported Features in Transparent Mode)


The actual doc also explains both firewall as a routed and transparent firewall for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/fwmode.html


Hope that helps.

sdhill Mon, 05/31/2010 - 10:30
User Badges:

I guess I should have been a little more clear - should the switches be running Layer 2 or Layer 3.


Option 1 - Layer 2 switch, requires trunking and static route statements on the firewall.


Option 2 - Layer 3 switch, use VLAN subinterfaces, trunking.


I think both require static NAT statements to allow the VLANs with same security level to communicate.

Federico Coto F... Mon, 05/31/2010 - 10:36
User Badges:
  • Green, 3000 points or more

Hi,


The fact that you use L2 or L3 switches behind the ASA, it will just change how the ASA look at this devices.


For example,

If you configure the switches at L2, the ASA will look at the switches as regular L2 switches and will share a subnet with the next L3 device on the path to the inside.

If you configure the switches at L3, the ASA will look at those switches as routers.


Which are the benefits or disadvantages of one solution over the other depends on your entire topology (hard to tell without knowing the layout).


If you can post a simple diagram with what you're planning to do, I think you'll get more help here.


Federico.

Actions

This Discussion