I recently set up an L3 switch to handle interVLAN routing but, after doing so, am really beginning to question my choice. I had originally chosen to go the L3 route because I assumed that the stateless nature (and minimal inspection) of ACLs would reduce latency whenever traffic needed to cross VLANs. I had also read that routing locally on the switch was just plain faster and that in general, routing closest to the traffic was preferred (though no exact reason was given). First of all, is this actually true?
Second, I originally failed to account for the return traffic that can’t make it back through the ACL without additional configuration. I can think of very few situations where I would ever want to reach out to one VLAN from another but not be interested in the response. It seems Cisco has even abandoned traditional ACLs in favor of Context-Based Access Controls (CBAC) which essentially turn the stateless ACL behavior into a stateful one. So with that, in all but the most extreme situations where ACLs are set up to totally isolate VLANs, are ACLs commonly used any more or is it more common/preferred to use a router-on-a-stick configuration in conjunction with a stateful firewall? The maintenance seems to be far more easily managed that way.
What are some considerations for one over the other? I imagine that if you don’t anticipate a high level of interVLAN routing, then that’s another vote in favor of the router-on-a-stick/firewall route.
No comments:
Post a Comment