07-24-2020 01:10 PM
Hi all,
I have a general question in regards to Cisco ISR/ASR.
Due to NGFWs really taking off with ever increasing features such as WAN optimisation, IPS, VPN, AV, DPI, VPN terminations etc, what would be a business case to drop a Cisco ISR/ASR in front of an NGFW these days?
I see network architect consultants pushing this but I see less reason for doing so. I get that you may not want a firewall on an MPLS connected site and instead use a Cisco ISR, but if a site absolutely requires a firewall why do this?
07-24-2020 06:57 PM
07-24-2020 07:18 PM
Thanks for the reply Leo. Besides zero day vulnerability strategies which could be mitigated by also using 2 different firewall manufacturers, what routing processes would benefit by pure Cisco NGFW+ISR on the edge?
07-24-2020 07:38 PM - edited 07-24-2020 07:40 PM
This is a "what's a perfect cup of coffee" question. Everyone has their own "taste".
Small site, sure a router with FW function may/can work.
Big site? No way.
Let's say one has a 10 Gbps pipe.
How much does it cost for a router that will do 10 Gbps (per interface)? Add another for FW and IPS/IDS that can do, at least, 2 x 10 Gbps.
Compare that with an router with an IPS/IDS & FW "under one roof" and can really, really do 20 Gbps (minimum). The cost to this option would be your kidney and your lungs.
Now, here is the thing: All this are just "theories". Look for used-case(s). Look for people who really, really have deployed (and haven't rolled-back) deploying an all-in-one head end and with WAN speed of >10 Gbps for >1 year.
Remember: Designing something is one thing. Maintaining something is a whole different world of "realities".
07-24-2020 07:48 PM
Leo as usual, you're a wealth of information. Thanks for pointing me in the right direction.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide