cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
561
Views
0
Helpful
5
Replies

ASA In Data Centers, why not routed mode?

ramikamel911
Level 1
Level 1

Hi Guys,

 

As i can see, Cisco is recommending for the ASAs to be in transparent mode in data centers, my question, why not routed mode?

How to decide? what is the problem in having the routing on ASA?

I know that transparent mode is easier to place, but in my case it is new design and i want to use the interface vlans on the ASA not core. so the gateway of each server will be the ASA.

what is the problem here? why it is not recommended?

I'm using ASA clustering as well over two DCs.

In Cisco links they explain why to use Transparent mode, but i couldn't find what is the problems/limitation in using routed mode?

Any clue?

 

Thanks & Regards,

Rami

5 Replies 5

ryancisco01
Level 1
Level 1

I wasn't aware Cisco were recommending transparent mode.

 

To be honest its probably a sales thing, think about the big flaw of transparent mode firewalls, you have to route in one interface and route out the other. Whereas a routed firewall can have many interfaces and subnets coming into it as you like.

So with transparent mode when the network grows have to buy a second piece of hardware for each new network.

 

Jon Marshall
Hall of Fame
Hall of Fame

but in my case it is new design and i want to use the interface vlans on the ASA not core. so the gateway of each server will be the ASA.

If that's the case use routed mode on your ASA.

Cisco's design docs are a great place to start but there is nothing that says you have to follow them to the letter, you modify them to fit with what you need.

Bear in mind as well that it's not an either or choice. With contexts you can have some in transparent mode and some in routed mode so you have flexibility.

I don't know what design guides you are referring to but it may be that they include some L2 features eg.

a long while back we wanted to RRI (Reverse Route Injection) from a CSM load balancer that was behind a firewall. For it to work the CSM had to be L2 adjacent to the 6500 which meant you couldn't use the FWSM in L3 mode.

Not saying you want to do that but it is an example of where other parts of the design can dictate how you run your firewalls.

Jon

 

shillings
Level 4
Level 4

Some systems guys don't like to have a firewall as the next hop out of the DC. They probably don't like any firewall being there at all and like to blame the firewall for any connectivity issues. Transparent mode helps. Just a thought. 

 

shillings
Level 4
Level 4

Some systems guys don't like to have a firewall as the next hop out of the DC. They probably don't like any firewall being there at all and like to blame the firewall for any connectivity issues. Transparent mode helps. Just a thought. 

 

shillings
Level 4
Level 4

Some systems guys don't like to have a firewall as the next hop out of the DC. They probably don't like any firewall being there at all and like to blame the firewall for any connectivity issues. Transparent mode helps. Just a thought. 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: