Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

make Gateway Firewall or Distribution/Core layer

hi everyone


i'm involve in a team to design a new Data Center, our problem is  one of my colleague and me thinks that the servers gateways must be the Distribution layer, but our Consultants that hold ccie R&S, think gateways must be the Firewall of Data Center Block, 

so which one of opinions is right?



Everyone's tags (1)
VIP Super Bronze

Hi,It could be either one,


It could be either one, but usually if you have a lots of traffic in your data center and you want faster switching, it should on the distro layer.  Usually switches have much more backplane speed and much more throughput then firewalls. The other thing is if the gateway is on the distro switches and you lose your firewall, you local vlans can still communicate.



New Member

thanks Reza for replyi knew

thanks Reza for reply

i knew that , but our Consultant opinion is no inter vlan routing should be exist in Data Center because of Security issues, gateways must be Firewalls to implement Zoning,

but i Searched in Cisco Documents and in Somewhere it said that switches are gateways and Firewalls must be bridge , somewhere said secure vlans gateway must be firewall,

but in my opinion its good to use both, application gateways must be firewalls but l3 or l2 services like iSCSI or vMotion and etc. should be l3 switches.

but which one is best implement,

it depends.if data from

I am not ccie and not consultant. but I can explain so easy question.


it depends.

if data from servers must go mostly to another servers in another vlans so gateway should be core switch.

and for example you shutdown firewall but data still goes from server to server.


and in another case if all data traffic goes from internet to servers and back so of course you must configure gateway firewall

New Member

in Banking Data center,

in Banking Data center, server to server traffic should check because of  vulnerabilities, so firewall being gateway can be reasonable, 

because of this , i think its better to combine two method, switching and firewalling,



VIP Super Bronze

Are these internal servers

Are these internal servers that need to communicate with each other? if yes there is no need to firewall subnet if no than fire-walling them is a good idea.  Usually if you have PCI, DMZ or multiple customers being on the same device requirement you firewall subnets.   If you go with firewall make sure it can handle the traffic load, if not it probably become a bottleneck.


yes. if it is banking data

yes. if it is banking data center so  all sensitive traffic go throw firewall.

I do work in bank and I khow PCI DSS requirements.

server to server traffic should go from vlan to vlan throw firewall with a complicated acl and IPS too