Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Customer firewalls in a data center

Hello there,

I am currently planning a small data centre design around the standard access, distribution and core model.

Servers will be racked in standard rack ranges accompanied with a layer 2 switch per rack row. These will connect to a redundant pair of layer 3 switches in order to do interVLAN routing. This will point to two redundant firewalls that will in turn point to a pair of routers.

We offer two types of firewall, shared firewall which we allocate the customer access lists on our own in house firewall, or dedicated where the customer can order a firewall and get it racked for their servers to sit behind.

My question is if one of our customers purchases say a Cisco ASA 5505 firewall for use of their servers, how would this be implemented in the design? It would have to skip the hop of our in house firewall and be able to hit the router.​

I considered getting a routed port at the distribution layer switch to go straight to the router and pointing the customer's firewall default route towards this.

The only problem is that the outside interface of the customer's firewall will have an external IP, whereas the routed port on the L3 switch would be internal, would I just have to make this external so it can flow through to the router?

Would this also cause bandwidth issues as more customers who buy firewalls are tunnelling this one route out to the router.

Or is there a much better way of doing this?

Any advice is much appreciated

Everyone's tags (3)
VIP Super Bronze

Hi,Do your customers need to


Do your customers need to communicated with each other?

Do your customers need to have access to Internet.

To what device your Internet connection will be attached to?

If the customers don't need to communicate with each other, you can get a larger firewall and use VRF lite on the switches/routers and  firewall context to separate each customer.

Here is good document to look at:


New Member

Hi Reza,Thank you for your

Hi Reza,

Thank you for your swift response.

Yes customer must have access to the internet and be able to communicate each other, I would just like customers behind their own dedicated firewall to take a path which bypasses the in-house firewall straight to the router.

Would this require a separate cable from the distribution switch to go straight to the router and then used policy based routing on this?

CreatePlease to create content