Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
574
Views
0
Helpful
5
Replies

Router and a Firewall. Unnecessary?

Go to solution
NInja Black
Level 1
Level 1

‎02-19-2014 07:43 AM - edited ‎03-04-2019 10:23 PM

Hi,

Hope I am in the right community to ask this question.

We have 5 branch offices (Call centers) with a total of about 500 employees connected through Comcast ENS service.

Each site's network has a Cisco 3925 Router on the outside followed by Cisco 5515 Firewall. (Router > Firewall > LAN_switch)

My question: Do we really need the router at all? The Firewall can do the NATing and the routing (EIGRP).

I recently joined the company and always wanted to look at it as an extra level of security. But seems unnecessary and complicates the network.

Can someone please explain if its the right decision to totally remove router from our network.

Any insight is appreciated.

Thanks

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-19-2014 07:52 AM

The answer is it depends

The most obvious reason for a router is if the WAN connection is not ethernet because ASA firewalls only terminate ethernet.

Assuming it is then there are other good reasons for a router but you may not need them eg. -

1) PBR. If you end up with multiple connections to a site and you want to direct some traffic one way and some other then you need a router because the ASA does not support PBR

2) QOS. The router will support a full QOS feature set where the ASA will not

3) routing. Yes the ASA can support EIGRP/OSPF etc. but a lot of people do not like running a routing protocol on the outside interface of a firewall. On the inside interface not such a problem..

4) WAN connectivity ie. not the media type but for example if you were connecting to an MPLS network where you needed to run BGP for example you would need a router

But you may not need any of those and different people would give you different answers ie.

1) you could just have the router and run the firewall on that and do away with the ASA. Personally i'm not keen on that as i think the firewall should be left primarily to do what it is meant to do as opposed to an all purpose router but i know people who would disagree and i am not saying my view is the correct one.

2) get rid of the router as you suggest and just use the firewall. This again is a common setup and if you simply need an ethernet connection and a default route on your firewall then the router does become somewhat redundant in that setup.

So there are no definitive answers. It really depends on your requirements (and potential future requirements) but i can understand what you are saying and under certain circumstances would find it hard to disagree.

Jon

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to NInja Black

‎02-19-2014 10:16 AM

Having two firewalls is as you say purely a matter of redundancy. If you are running active/standby then there is no other benefit to be had other than if a firewall or one or more of it's interfaces fails you have a standby firewall.

Redundancy is a good thing to have in a network but there is obviously a cost associated with this and it is always a tradeoff in terms of design between the two. The company may not need redundancy ie. internet access is not vital although this becoming less common as the internet becomes more important to all companies.

If though you were a web hosting company, for example, you would definitely want that sort of redundancy (and probably a lot more).

Something else to consider is the redundancy of other devices in the network eg. if you have two firewalls but they both connect to the same switch and the switch fails you have lost both of your firewalls. The only real redundancy you get here is if the active firewall interface connecting to the switch fails.

Similarly if you have a single router and then redundant firewalls again you have created a single point of failure.

Redundancy is expensive when you look at it like this ie. two switches, two firewalls, two routers etc. You can move to it bit by bit but until you have the full solution you are not really getting the full benefit. And that does not cover power, which you mention in your post ie. if you have fully redundant network kit then you would want each device within a redundant pair on a completely different power supply.

Again it is difficult to give a definitive answer because as i say it depends on the compnay requirements, the cost of losing connectivlty, the amount of money the company is prepared to spend etc.

Jon

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-19-2014 07:52 AM

The answer is it depends

The most obvious reason for a router is if the WAN connection is not ethernet because ASA firewalls only terminate ethernet.

Assuming it is then there are other good reasons for a router but you may not need them eg. -

1) PBR. If you end up with multiple connections to a site and you want to direct some traffic one way and some other then you need a router because the ASA does not support PBR

2) QOS. The router will support a full QOS feature set where the ASA will not

3) routing. Yes the ASA can support EIGRP/OSPF etc. but a lot of people do not like running a routing protocol on the outside interface of a firewall. On the inside interface not such a problem..

4) WAN connectivity ie. not the media type but for example if you were connecting to an MPLS network where you needed to run BGP for example you would need a router

But you may not need any of those and different people would give you different answers ie.

1) you could just have the router and run the firewall on that and do away with the ASA. Personally i'm not keen on that as i think the firewall should be left primarily to do what it is meant to do as opposed to an all purpose router but i know people who would disagree and i am not saying my view is the correct one.

2) get rid of the router as you suggest and just use the firewall. This again is a common setup and if you simply need an ethernet connection and a default route on your firewall then the router does become somewhat redundant in that setup.

So there are no definitive answers. It really depends on your requirements (and potential future requirements) but i can understand what you are saying and under certain circumstances would find it hard to disagree.

Jon

0 Helpful

Go to solution
NInja Black
Level 1
Level 1
In response to Jon Marshall

‎02-19-2014 10:00 AM

Those are very interesting points Jon. Will get a detailed picture on  our current and future requirements and decide accordingly. Thanks for  the detailed explanation. Very helpful.

I have another question, if I may.

Do we need 2 FWs?

We have active/standby failover configured on the ASAs at all the sites. Failover not really required but 'just in case'.

I know in an ideal setup redundancy is a must but considering the only time our FW goes down is due to power outage, in which case both FWs go down.

We are having a new branch office coming up and I dont want to get 2 FWs just for the sake of it.

Please advice

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to NInja Black

‎02-19-2014 10:16 AM

Having two firewalls is as you say purely a matter of redundancy. If you are running active/standby then there is no other benefit to be had other than if a firewall or one or more of it's interfaces fails you have a standby firewall.

Redundancy is a good thing to have in a network but there is obviously a cost associated with this and it is always a tradeoff in terms of design between the two. The company may not need redundancy ie. internet access is not vital although this becoming less common as the internet becomes more important to all companies.

If though you were a web hosting company, for example, you would definitely want that sort of redundancy (and probably a lot more).

Something else to consider is the redundancy of other devices in the network eg. if you have two firewalls but they both connect to the same switch and the switch fails you have lost both of your firewalls. The only real redundancy you get here is if the active firewall interface connecting to the switch fails.

Similarly if you have a single router and then redundant firewalls again you have created a single point of failure.

Redundancy is expensive when you look at it like this ie. two switches, two firewalls, two routers etc. You can move to it bit by bit but until you have the full solution you are not really getting the full benefit. And that does not cover power, which you mention in your post ie. if you have fully redundant network kit then you would want each device within a redundant pair on a completely different power supply.

Again it is difficult to give a definitive answer because as i say it depends on the compnay requirements, the cost of losing connectivlty, the amount of money the company is prepared to spend etc.

Jon

0 Helpful

Go to solution
NInja Black
Level 1
Level 1

‎02-19-2014 10:23 AM

Thanks for your time Jon. You are Awesome!!!

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to NInja Black

‎02-19-2014 10:35 AM

No problem and thank you.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card