Best practice location for vlan interfaces

I would not recommend it because of many reasons

- performance bottleneck:  (you literlly throttling down your network to interface speed, throughput and other factors of the firewall)

- single point of failure: if your firewall go down, your intervlan/intervrf traffic is interrupted 

- feature lack: firewall does not support broadcast forwards for stuff like WoL, PXE Boot etc, complex multicast routing, VRFs, 

- maintainance: sophos lifecycle requires you to upgrade always to the newest code, otherwise you won't get "support". in larger networks thats a pain in the neck, if your intervlan routing is on the firewall.

if your goal is just visibility, there are better ways eg. netflow from the switches. 

I would not recommend it because of many reasons

- performance bottleneck:  (you literlly throttling down your network to interface speed, throughput and other factors of the firewall)

- single point of failure: if your firewall go down, your intervlan/intervrf traffic is interrupted 

- feature lack: firewall does not support broadcast forwards for stuff like WoL, PXE Boot etc, complex multicast routing, VRFs, 

- maintainance: sophos lifecycle requires you to upgrade always to the newest code, otherwise you won't get "support". in larger networks thats a pain in the neck, if your intervlan routing is on the firewall.

if your goal is just visibility, there are better ways eg. netflow from the switches. 

Thanks Samuel for the clear explanation!  Will keep all my VLANIF's on the core switch!