Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Network Design change


We currently have the following network configured within our infrastructure.

2 x Cisco ASA 5510’s configured in Active/Standby Mode

6 x 3560-E Catalyst Switches

2GB EtherChannel connections between switches

The ASA’s have an Outside Interface with Security Level ‘0’ assigned, and 11 Sub-Interfaces configured on VLAN’s ID 1-11 for arguments sake.

All the VLAN’s are configured on Trunk ports on the 3560’s, which are in turn connected to our HyperVisors which host VM’s that could have any of the VLAN’ed networks assigned.

All VM’s have the ASA Sub-Interface IP address set as the default Gateway.

As our network grows, I do not believe the model/design we have above is sustainable or effective. I’m new to networking, but from what I’ve looked into already, we should be shifting the routing away from the ASA, onto the Switches themselves. Can anyone shed some light on the best practice to get this implemented, and what exactly might be involved? None of the switches are configured with a particular role, ie Core, Dist etc, so I’m open to ideas how I should implement this.

Thanks for your time!

VIP Super Bronze

Re: Network Design change

Hi Andrew,

The ASA firewall 5510 is not a very powerful device to handel all the routing between vlans on the HyperVisors.  The firewall in your case is the choke point as all routing between vlans have to traverse the firewall and back.  You are better off connecting all your 3560-E switches to one or a set of stacked 3750Xs or 3850s and use the 3750Xs or 3850s to route for you.  These devices are a lot faster than your firewalls. Than a routed connection from the 3750xs to the firewall. These day, the Vcenter can route between vlans within a HyperVisor or vlans between HyperVisors, but for that, you may need a different licenses and version of software.



Re: Network Design change


Agree on all Reza's comments, you'd be much better off with a thin core layer, such as a pair of stacked 3850s, running the IOS 'IP Base' feature set. You could then cross-stack connect all your 3560-Es for resiliency. You could also uplink each 5510 to a different core switch, for resiliency.

Doesn't sound like you'll need 10GbE, but if you do, then look at a pair of 4500-X series switches, instead of the 3850s. Your 3560-E's will support 10GbE uplinks too, with the appropriate modules, of course.

CreatePlease to create content