We currently have the following network configured within our infrastructure.
2 x Cisco ASA 5510’s configured in Active/Standby Mode
6 x 3560-E Catalyst Switches
2GB EtherChannel connections between switches
The ASA’s have an Outside Interface with Security Level ‘0’ assigned, and 11 Sub-Interfaces configured on VLAN’s ID 1-11 for arguments sake.
All the VLAN’s are configured on Trunk ports on the 3560’s, which are in turn connected to our HyperVisors which host VM’s that could have any of the VLAN’ed networks assigned.
All VM’s have the ASA Sub-Interface IP address set as the default Gateway.
As our network grows, I do not believe the model/design we have above is sustainable or effective. I’m new to networking, but from what I’ve looked into already, we should be shifting the routing away from the ASA, onto the Switches themselves. Can anyone shed some light on the best practice to get this implemented, and what exactly might be involved? None of the switches are configured with a particular role, ie Core, Dist etc, so I’m open to ideas how I should implement this.
The ASA firewall 5510 is not a very powerful device to handel all the routing between vlans on the HyperVisors. The firewall in your case is the choke point as all routing between vlans have to traverse the firewall and back. You are better off connecting all your 3560-E switches to one or a set of stacked 3750Xs or 3850s and use the 3750Xs or 3850s to route for you. These devices are a lot faster than your firewalls. Than a routed connection from the 3750xs to the firewall. These day, the Vcenter can route between vlans within a HyperVisor or vlans between HyperVisors, but for that, you may need a different licenses and version of software.
Agree on all Reza's comments, you'd be much better off with a thin core layer, such as a pair of stacked 3850s, running the IOS 'IP Base' feature set. You could then cross-stack connect all your 3560-Es for resiliency. You could also uplink each 5510 to a different core switch, for resiliency.
Doesn't sound like you'll need 10GbE, but if you do, then look at a pair of 4500-X series switches, instead of the 3850s. Your 3560-E's will support 10GbE uplinks too, with the appropriate modules, of course.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...