Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14349
Views
34
Helpful
4
Replies

Routing Mode vs Transparent Mode?

Go to solution
Adam David
Level 1
Level 1

‎04-19-2010 11:00 PM - edited ‎03-04-2019 08:12 AM

Hi,

There's not much information that can be found on the internet regarding this topic. I would appreciate if anyone can share the similarities and differences between these two mode, the pro and cons and example of them.

Thanks in advance

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-20-2010 01:38 AM

Adam

I'll use a firewall as an example but the same applies to other types of device -

routing mode the device is seen as a next-hop along the path. So if you had a device with 2 interfaces in routed mode each interface would be in a separate subnet and the device would route packets between these subnets.

transparent mode the device is not a L3 next-hop it is a "bump in the wire". Essentially if you have 2 interfaces then they are in the same subnet, although not the same vlan.

The big pros for transparent mode is that the device can be inserted into a network with no need to change IP addressing and is in effect invisible to end devices such as PCs/servers. So if you had a vlan with servers in it and you suddenly had a requirement to firewall some of the servers from the other servers you can insert a transparent firewall without having to change any addressing on the servers.

Transparent firewalls can also pass protocols other than IP.

the main downside with transparent devices is that they are limited in the amount of interfaces you can have ie. you can only firewall between 2 interfaces. Note this limitation can be partly overcome with bridge groups on the FWSM but even then there is a limitation as to how many bridge groups can be used. In addition because they are a L2 device they cannot act as a L3 device in terms of routing etc. so a transparent firewall could not be an OSPF or EIGRP neighbor with another device.

routed mode firewalls can support many more dmzs than transparent. They can participate as a routing peer, and i think they are more intuitive than L2 firewalls. But going back to the previous example if you needed to suddenly firewall within a vlan a routed firewall would mean readdressing some of the servers.

Cisco has many examples of firewall configuration for both transparent and routed mode and documents that explain things in much more detail. The above is a very basic overview and there is a lot more that could be said. Where you interested in any specific device in particular ?

Jon

View solution in original post

4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-20-2010 01:38 AM

Adam

I'll use a firewall as an example but the same applies to other types of device -

routing mode the device is seen as a next-hop along the path. So if you had a device with 2 interfaces in routed mode each interface would be in a separate subnet and the device would route packets between these subnets.

transparent mode the device is not a L3 next-hop it is a "bump in the wire". Essentially if you have 2 interfaces then they are in the same subnet, although not the same vlan.

The big pros for transparent mode is that the device can be inserted into a network with no need to change IP addressing and is in effect invisible to end devices such as PCs/servers. So if you had a vlan with servers in it and you suddenly had a requirement to firewall some of the servers from the other servers you can insert a transparent firewall without having to change any addressing on the servers.

Transparent firewalls can also pass protocols other than IP.

the main downside with transparent devices is that they are limited in the amount of interfaces you can have ie. you can only firewall between 2 interfaces. Note this limitation can be partly overcome with bridge groups on the FWSM but even then there is a limitation as to how many bridge groups can be used. In addition because they are a L2 device they cannot act as a L3 device in terms of routing etc. so a transparent firewall could not be an OSPF or EIGRP neighbor with another device.

routed mode firewalls can support many more dmzs than transparent. They can participate as a routing peer, and i think they are more intuitive than L2 firewalls. But going back to the previous example if you needed to suddenly firewall within a vlan a routed firewall would mean readdressing some of the servers.

Cisco has many examples of firewall configuration for both transparent and routed mode and documents that explain things in much more detail. The above is a very basic overview and there is a lot more that could be said. Where you interested in any specific device in particular ?

Jon

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jon Marshall

‎04-20-2010 01:43 AM

Perfect description, Jon..

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Jennifer Halim

‎04-20-2010 06:35 AM

Many thanks for the compliment and the rating.

Jon

0 Helpful

Go to solution
Jean Milne
Level 1
Level 1
In response to Jon Marshall

‎06-01-2017 02:17 PM

I'm going through the ASA 5505 documentation and found this answer googling for an explanation about the difference between modes.  This answer helped me especially as an example was given for why you would use transparent mode.   I'm no expert so my rating is not a technical rating but I personally found the explanation to be clear and concise and it helped me.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card