When to Route on Core Switches vs Next-Gen Firewalls in Enterprise Networks

For enterprise network architects and senior infrastructure engineers, determining where Layer 3 routing logic should reside—on the core switch or the Next-Generation Firewall (NGFW)—is a foundational design decision. A misstep here can either cripple network performance with unnecessary bottlenecks or expose the organization to severe security vulnerabilities.

As modern environments adopt hybrid cloud architectures, zero-trust models, and high-throughput applications, the traditional "router-on-a-stick" model is being heavily scrutinized. This guide explores the architectural trade-offs, performance limitations, and modern design patterns (such as VRF-lite) to help you choose the right routing boundary for your enterprise.

• Part 1: Enterprise Layer 3 Routing Design Models
• Part 2: Sizing the Core — Traffic Patterns vs Interface Marketing
• Part 3: VLANs, SVIs, and ACL Design on Core Switches
• Part 4: Security Zones, VRFs, and Firewall Transit Networks
• Part 5: Hardware Platform Selection
• Part 6: FAQ

Part 1: Common Enterprise L3 Designs

Core Switch Routing Model

Routing on a core switch prioritizes raw forwarding performance. Core switches utilize hardware ASIC forwarding pipelines rather than CPU-based routing logic.

Example CLI verification:

Example CLI command to verify routing table:

show ip route

Core routing is typically preferred for heavy east-west traffic environments such as:

• Storage replication traffic
• Virtual machine migration traffic
• Internal database communication

Firewall-Centric Routing Model

Delegating routing to security appliances prioritizes visibility and compliance control.

Next-generation firewalls such as Fortinet or Palo Alto platforms can perform routing combined with inspection and threat prevention.

However, routing all traffic through firewalls can introduce latency and session processing overhead.

Hybrid Routing Architecture

Modern enterprise designs typically combine both approaches.

Core switches perform high-speed forwarding while firewalls enforce security policy boundaries.

Part 2: Sizing the Core — Traffic Patterns vs 10G/40G/100G Hype

Enterprise network design must be based on real workload traffic patterns rather than interface marketing specifications.

Common interface speeds include 10G, 40G, and 100G, but real capacity planning must consider:

• Oversubscription ratios
• Routing table scale
• Session state processing capacity

Modern enterprise networks are often dominated by east-west application traffic rather than north-south internet traffic.

Part 3: Designing VLANs, SVIs, and ACLs on L3 Switches

Layer 3 core switches can perform segmentation using VLANs and SVIs.

Security filtering can be implemented using Access Control Lists (ACLs), but large ACL deployments require careful TCAM memory planning.

Example TCAM verification:

Example command:

show platform tcam utilization

Large ACL designs may increase operational complexity and troubleshooting difficulty.

Part 4: Where the Firewall Fits — Security Zones and Transit Networks

Firewalls should primarily function as security enforcement boundaries rather than high-volume routing cores.

Modern enterprise security designs divide networks into zones such as:

• Trusted internal networks
• Guest access networks
• Partner connectivity zones
• Internet-facing networks

Virtual Routing and Forwarding (VRF) can provide logical isolation without physical hardware duplication.

Typical traffic path design:

1. User network
2. Core switch routing
3. Firewall security inspection
4. External network

Part 5: Hardware Selection Guide

Cisco Enterprise Platforms

Enterprise core routing commonly uses hardware forwarding platforms such as Catalyst and Nexus series switches from Cisco Systems.

HPE Aruba Platforms

HPE Aruba focuses on campus networking integration and distributed enterprise environments.

Juniper Platforms

Juniper Networks infrastructure platforms are widely deployed in service provider and high-performance enterprise networks.

Fortinet Converged Security Networking

Fortinet platforms provide integrated networking and security processing but require careful capacity planning when enabling deep inspection features.

Part 6: FAQ

Q1.Should routing be centralized in the core switch or delegated to firewalls?

There is no universal answer. Use core switches for high throughput routing and firewalls for security boundary enforcement.

Q2.How much traffic can modern core switches handle?

Modern ASIC-based core switches can forward traffic at 10G, 40G, or 100G+ line rates with microsecond latency.

Q3.How do security zones influence routing?

Traffic inside trusted zones should remain on core forwarding paths, while cross-zone traffic should be inspected by firewalls.

Q4.When do VRFs replace physical segmentation?

VRFs are used when logical network isolation is required without deploying additional physical hardware.

Q5.Which hardware platforms are recommended for enterprise cores?

Common platforms include Cisco Catalyst/Nexus switches and high-performance NGFW platforms such as Fortinet FortiGate series.