Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
704
Views
0
Helpful
3
Replies

Why use transparent firewall in data center?

fouzan.work
Level 1
Level 1

‎04-23-2013 08:44 AM - edited ‎03-11-2019 06:33 PM

I've seen Cisco documentation recommendation transparent mode for firewall deployment in the data center, e.g. 5585X. I understand the key reasons for this are:

- easy "insertion" of firewall in pre-existing network

- speed (since there is no "hair-pinning")

Assume that the above two are not a major concern (i.e. you can redesign your network to have the firewall hold default gateways and your firewall is much more powerful than your needs). Then from a financial perspective, it doesn't seem to make sense to do transparent firewall deployment of the 5585X for the following reasons:

- you are limited to a maximum of 8 bridge-groups

If you really want to follow best practices and implement fine segmentation of your network, you'll need to create 10s or 100s of VLANs and perform access-control on them. This limit of 8 BVIs means that you basically can have only 8 "segments" per context. After that, you have to resort to adding contexts as your grow (contexts introduce their own cost AND complexity).

Am I missing something? Why would Cisco recommend transparent firewall for data center if cost is remotely a concern? I can't seem to find any good documentation justifying this. Thanks in advance for your experiences/insight.

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎04-23-2013 09:25 AM

Hello Fouzan,

I think you already covered it

good job with the analisys, basically as you said is the hability to place the Transparent mode into the network enviroment , no routing stuff complications, etc , BUT as you said there are limitations,

I would still use the routed mode due to the requirements you set but there will be scenarios when this will not be the case and a bridge-group or 2 will take care of everything so I transparent mode firewall would do it,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

fouzan.work
Level 1
Level 1
In response to Julio Carvajal

‎04-23-2013 09:35 AM

Thanks. Does anyone have any insight into why Cisco limits the number of bridge-groups in transparent mode to 8? And I don't think this is a licensed feature (so you can't increase that number either). Can't be due to hardware limitations...especially on a 5585.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to fouzan.work

‎04-23-2013 09:37 AM

Hello,

That is correct, you cannot increase it whether you are using a license or not

That it's just how it behaves,

For that particular question you can contact your account manager if you have one so they can open a enhacement request for you,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card