Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3679
Views
0
Helpful
3
Replies

VRF with Cisco Firepower

abbasali5
Level 1
Level 1

‎11-02-2016 01:19 PM - edited ‎03-12-2019 01:28 AM

I am proposing a security solution for one of my customers with one of the options below               

·         Firepower 4120 Bundle 

·         FPR9300 SM-24 Bundle 

·         FPR9300 SM-36 Bundle 

 

He had a few concerns

·         They are looking to use Firewalls to be the security node to gate access between VRFs

·         There will be web filtering product and bandwidth management unit in between

·         Each business units have their own firewalls with their own web filtering solution and aggregate in the Core

·         They desire a single check point for security between VRFs

 

My concerns is  the ability for an ASA to handle bandwidth since Firewalls are no routers especially in this case since VRFs are involved where firewalls  may be a bottleneck. 

 

Is there any information regarding routing specs, or do the tech specs on CCO apply to stateful inspection apply to routed traffic?  The traffic actually is routed through the firewall and is supposed to meet those specs.

 

I am thinking of proposing a high-end Catalyst switch to handle VRF routing.  

Any thoughts!

 

Thanks,

Labels:
0 Helpful
3 Replies 3

Oliver Kaiser
Level 7
Level 7

‎11-02-2016 04:17 PM

Stateful inspection throughput matches up to the cisco published throughput imo. Multiprotocol stateful inspection throughput should be considered for sizing in case only l4 features are used and the workload consists of the typical enterprise mix of traffic.

To make a general assumption of how much the device will be able to handle also consider looking into 3rd party test results. NSS Labs publishes a yearly NGFW report that includes Cisco ASA. Apart from security viability they also check the vendors throughput claims and verify them.

Reading through your requirements I would question if they even need central firewalling. You mentioned that every customer already uses their own firewall solution and you are only connecting between them - is that correct, or is there some central service involved that is exposed to the customers and should be protected centrally?

0 Helpful

abbasali5
Level 1
Level 1
In response to Oliver Kaiser

‎11-02-2016 11:35 PM

Thanks Kaisero!

To answer your question,  The client is a parent company and provide the core services.  The other divisions have their own firewalls just to protect their internal LAN, but they do access Internet via parent Core Network.

0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to abbasali5

‎11-08-2016 09:18 AM

Is there anything else you would like to know? Since your question was very open I am not sure you got all the info you are looking for.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card