Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Design - Layer 3 to the access switches

We are implementing a new layer 3 design and I am somewhat confused on how/where the FWSM's, ASA's, WISM's, IDSM's, NAM's should be placed. If we are truely only routed and can no longer extend vlan's, what is the best method to contain devices into the DMZ? Also, where would you span ports for the NAM's and IDSM's?




Re: Design - Layer 3 to the access switches

To allow Layer 3 switching, the switch must have the routing function enabled and Layer 3 switching is the movement of data between devices using tables or pathways containing Layer 3 network addressing.

I am sending Frequently Asked Questions (FAQ) on the Quality of Service (QoS) features of the L3 switches. Please click following link:

Hall of Fame Super Blue

Re: Design - Layer 3 to the access switches


I can answer part of your question re the placement of the FWSM and i suspect this might also be relevant to the IDS as well.

If you go for a routed access-layer then the FWSM may not have visibility of all the vlans you may want to firewall. This would certainly become an issue if you wanted to use the FWSM in transparent mode. We went through the same decision making when we redesigned our main data centre.

L3 access-layer allows you to remove spanning-tree from the uplinks with equal cost routing and is an attractive feature. But it also meant we would have to buy a pair of FWSM's and CSM's (as we run in bridge mode) per access-layer pair to get l2 adjacency. This was one of the key factors that led us to use L2 uplinks with Rapid STP but obviously in your case you may not deem that suitable.

Hope this has helped at least partially