Re: Internal Firewall Sizing

ishara · ‎10-21-2024

We currently have two Cisco C9407R core switches, two Cisco FTD 2130 perimeter firewalls, and two Cisco routers. The DHCP services and routing tables are managed by the core switches. We plan to introduce an internal firewall between the perimeter firewalls and the core switches to enhance our network security. For this, we need to determine the appropriate firewall sizing.

The internal firewall will handle inter-VLAN routing and manage LAN traffic, while VPNs and internet-bound traffic will continue to be processed by the perimeter firewalls. Our network includes a data center, WLANs, and VPNs.

Could you guide us on the key parameters to consider when sizing the internal firewall and provide insights into the sizing process?

Rob Ingram · ‎10-21-2024

@ishara it depends on many factors, including what features you want to enabled, such as IPS, Malware, URL filtering etc and what the required throughput will be?

What is the current utilisation of the links? that will provide an indication of what hardware you will require.

You probably won't want a 1000 series hardware as they are probably not powerful enough, the 2100 series is old, I would recommend the relatively new 3100 series.

ishara · ‎10-21-2024

Thank you for your response. We need to create a Request for Proposal (RFP) that includes IPS, malware protection, and URL filtering features. The challenge is that inter-VLAN routing on the core switch needs to be moved to the internal firewall. I need guidance on the parameters we should collect and the relevant show commands to gather this information from the devices.

Rob Ingram · ‎10-21-2024

@ishara if the Firewall is going to perform the intervlan routing, you need to determine the maximum required throughput of the Firewall (traffic between VLANs), you can using SNMP for this to get an idea. As @Aref Alsouqi said contact your Cisco partner, if you confirm bandwidth requirements and required features (IPS, Malware etc) they can identify the suitable Firewall model using the performance estimator tool.

Aref Alsouqi · ‎10-21-2024

Moving the inter-VLAN routing to the core firewall is not too complicated, I've done it several times with no issues. Key things with that is to move the SVIs from the core switch to the core firewall so you don't have to change any default gateway IPs on the endpoints. You can do that by having the firewall SVIs (subinterfaces) shutdown, assign the IPs, and after implementing the security policies you can bring them up. One thing to keep in mind here is that the moment you bring them up on the firewall you will start getting duplicate IP addresses on your network until you shutdown the SVIs on the core switch. Because of this it is crucial to have a console connection to the core switch, or, to be connected to the core switch via OOB. With regard to have good visibility of how much traffic is flowing via your core switch, I think the best tool that can help with this would be NetFlow where you turn it on on all the interested interfaces.

Aref Alsouqi · ‎10-21-2024

I agree with @Rob Ingram, I think the 3100 series would be a good choice. Those firewalls could support from 10 to 45 Gbps AVC + IPS, depending on the hardware. Compared to the 2100 series which are categorized for medium enterprise, the 3100s are categorized for large enterprise and I saw many of them at DCs.

Cisco Secure Firewall 3100 Series Data Sheet - Cisco

You might want to talk to your Cisco reseller if you need more accurate advice based on your environment traffic so they can allocate some technical resources to go through an audit before suggesting the right platform.