Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1092
Views
10
Helpful
4
Replies

The Future of Cisco ISR/ASR?

Otaku78
Level 1
Level 1

‎07-24-2020 01:10 PM

Hi all,

I have a general question in regards to Cisco ISR/ASR.

 

Due to NGFWs really taking off with ever increasing features such as WAN optimisation, IPS, VPN, AV, DPI, VPN terminations etc, what would be a business case to drop a Cisco ISR/ASR in front of an NGFW these days?

 

I see network architect consultants pushing this but I see less reason for doing so. I get that you may not want a firewall on an MPLS connected site and instead use a Cisco ISR, but if a site absolutely requires a firewall why do this?

Labels:
0 Helpful
4 Replies 4

Leo Laohoo
Hall of Fame
Hall of Fame

‎07-24-2020 06:57 PM

A firewall doing IPS/IDS and router? It is called a single-point-of-failure.
IF the appliance has a firmware vulnerability in it, then it is "game over, man. Game over!".

Otaku78
Level 1
Level 1
In response to Leo Laohoo

‎07-24-2020 07:18 PM

Thanks for the reply Leo. Besides zero day vulnerability strategies which could be mitigated by also using 2 different firewall manufacturers, what routing processes would benefit by pure Cisco NGFW+ISR on the edge?

 

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Otaku78

‎07-24-2020 07:38 PM - edited ‎07-24-2020 07:40 PM

This is a "what's a perfect cup of coffee" question. Everyone has their own "taste".
Small site, sure a router with FW function may/can work.
Big site? No way.

Let's say one has a 10 Gbps pipe.
How much does it cost for a router that will do 10 Gbps (per interface)? Add another for FW and IPS/IDS that can do, at least, 2 x 10 Gbps.
Compare that with an router with an IPS/IDS & FW "under one roof" and can really, really do 20 Gbps (minimum). The cost to this option would be your kidney and your lungs.
Now, here is the thing: All this are just "theories". Look for used-case(s). Look for people who really, really have deployed (and haven't rolled-back) deploying an all-in-one head end and with WAN speed of >10 Gbps for >1 year.

Remember:  Designing something is one thing.  Maintaining something is a whole different world of "realities".  

Otaku78
Level 1
Level 1
In response to Leo Laohoo

‎07-24-2020 07:48 PM

Leo as usual, you're a wealth of information. Thanks for pointing me in the right direction.

0 Helpful
Customers Also Viewed These Support Documents