Re: pros and cons of this topology

Ibrahim Jamil · ‎04-12-2012

Hi Experts

Please find attachment

Have you seen this type of setup before?

what is the pros and cons of this topology

thanks

Ibrahim

mvsheik123 · ‎04-13-2012

Hi Ibrahim,

This is normal set up for small-medium sized organizations.In this scenario- normally ISP will use one of the assigned public IP as the gateway IP (router ip) and rest will be for yours. You may see a switch between customer FW and ISP router, so that you can add more perimeter devices with public IP. Incase of only 2usable public IPs, no need to have any switch though.

hth

MS

EDIT:

Pro: Simple to manage. Add a default route on your FW and have proper scecurity rules- all set to go.

Con: Single point of failure.

Ibrahim Jamil · ‎04-13-2012

Hi

but this is a strange design,FW than Router , what i have seen in my life carrier is edge router then firewall not firewall then edge router, have u seen this type of desigh before?what is the difference in term of a logic setup?

thanks

jamil

Kishore Chennupati · ‎04-13-2012

hi ibrahim,

First thing there is only one link to the ISP. which means there is no high availibility. you need to have multihoming.

secondly you right that normally the edge router peers with the SP and you have FW behind it. But the FW can also peer with the SP as it can do some basic routing like static route, etc. The logic here from a simplistic perspective is to allow very strict security and nothing passes the FW. If you have the edge router then its vulnerable to attacks etc. as its not that secure. if you knnow what i mean. other than that i dont see anything out of the blue to have such a setup

HTH

Kishore

Vasileios Bouloukos MSc, ITIL, CCIE · ‎04-13-2012

Hi Ibrahim,

In yoyr topology you have to connect two separate networks, the enterpise and the ISP; the function of the

device on the edge will primarily be that of a router than a Firewall.

A router it's a device designed to route packets, meanwhile a firewall it's designed to filter traffic.

Moreover, a router has normally interfaces that a firewall does not have. It's hard to find a firewall with ATM or Serial interfaces to connect it to the WAN. So, in such cases you'll need a router before the firewall to connect your network to the ISP.

Hope that helps,

Vasilis

Kishore Chennupati · ‎04-13-2012

Vasilieos makes a very good point here about the different media types. 5+ for that.

Vasileios Bouloukos MSc, ITIL, CCIE · ‎04-13-2012

Thank you Kishore for the 5 valuable points!

Ibrahim Jamil · ‎04-13-2012

Hi Vasilis , hi kishore

agree with Vasilieos, can y pls elaborate more!

your comments, is it a strange design FW then Edge !!! do y agree?i have not seen this design before!is this a best practice?

thanks

jamil

Vasileios Bouloukos MSc, ITIL, CCIE · ‎04-13-2012

I agree Ibrahim that this design is not so common due to the limitations described above.

(Difficulties to multihome environment with ISP due to routing limitations of FWL, limitations of FWL to QoS in compare to the Router, WAN interface type limitations etc). On the other hand the main advantage of the FWL to the EDGE is that the router is not directly exposed to the WEB and so attacks e.g. DoS can be filtered by the FWL.

Finally you should take into account future needs of the customer...maybe now is just a router and FWL but in the future the customer could request redundant links or routers and this required advanced routing mechanisms that you can not achieve with a FWL.

Hope that helps!

Vasilis

Ibrahim Jamil · ‎04-13-2012

Hi Vasilis

thanks you deserve another 5 points from me,thanks cisco for this valuable forum

exciting topic BGP With 3 Links, pls participate

ibrahim

Vasileios Bouloukos MSc, ITIL, CCIE · ‎04-14-2012

Thank Ibrahim for the points