Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
341
Views
0
Helpful
1
Replies

Request for advice on Internet edge devices for two 10Gbps circuits to

mshell
Level 1
Level 1

‎03-30-2023 04:00 PM

Hello.  My company is moving into a new building and we will need to purchase new firewalls and Internet routers.  I'm hoping someone will be able to offer some advice as to the best products to purchase.  We have about 100 employees in a single building with no WAN connections and no site-to-site VPNs.  We are a media company and we transfer a lot of high definition video files and so we are installing two 10Gbps circuits in the new building to two different ISPs.  Our internal infrastructure is all Meraki and we currently use two MX450s, but those cannot support 10Gbps, so they will need to be replaced.  I was very familiar with the Cisco PIX and ASA firewalls (seems like a lifetime ago...), but I am not very familiar with the Firepower series.  Here are my concerns:

- We use client-to-site VPN extensively and we would like a solution that will survive either a circuit failure or a hardware failure.  In the event of a failure, I don't mind if all client VPN sessions terminate and must be reestablished, but I want users to be able to reconnect within 5 minutes of the outage.

- In order to achieve both inbound and outbound load balancing across our two Internet circuits, I assume we will need to use BGP and I will need to use route-maps to modify the MED (or prepend to the AS path) in order to influence which path inbound traffic takes.  Will the Firepower 4115 support that?

- In addition to client-to-site VPN, we don't have many inbound sessions from the Internet.  We have only five internal servers that have translations and access control rules to allow inbound sessions.  This traffic is relatively low bandwidth.

- Our single biggest outbound bandwidth consumer is sending video files to our cloud storage provider.  I was thinking I would have a static route pointing out one ISP to that destination network and then have the default route pointing out the other ISP and that will allow us to load balance.  I would need the Firepower to translate the source address into one external IP for traffic sent to one ISP and a different external source for the other ISP (to avoid asymmetric return traffic).

If the Firepower 4115 doesn't have full BGP support, then I will need a pair of routers outside the firewalls.  What would you recommend for that?

Thanks very much.  Let me know if you need any additional detail.

Matthew Shell, CCIE #7777 (inactive)

0 Helpful
1 Reply 1

Leo Laohoo
Hall of Fame
Hall of Fame

‎03-30-2023 05:06 PM

Cisco FTD/ASA is currently a very contentious topic.  

Use Gartner 2022 Firewall Magic Quadrant as a reference, invite the vendors in for a proof-of-concept (PoC) bakeoff based on your network and requirement.  

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card