09-01-2023 09:18 AM
Can I put a C8500L as Firewall instead of a Firepower?
I mean, a Cisco 8500 or C8000v Router, with IOS SDWAN with Firewall functions (URL-Fil, AMP, IPS/IDS) at the DC can replace Cisco Firepower?
The thing is that the client wants to get out of their firepower 2120 and put routers with SDWAN and full security stack in their DC for cost savings, etc. Cisco say me that no problem, but, does any one here any expirience with that?
09-01-2023 09:24 AM
if possible if all features you looking available in Cat 8K model. its generally used for Edge Router (with SD-WAN Feature)
never tested myself other feature you mentioned AMP and IPS
check the datasheet :
09-01-2023 03:43 PM - edited 09-01-2023 03:44 PM
Hi,
I'd not recommend to do that. Better to have separate security device especially for Data Center. You can not manage security policies of SD-WAN router like you do in Firepower Management Center. It will be hard both to configure and maintain and troubleshoot.
For small branches, it is OK to have all-in one.
09-01-2023 04:26 PM
hello Kanan
Thank you for comments, are always very welcome
Yes, i understand what you mean, and it's a good point, but if you technically had a device that could do the same as a Firepower 2120 and even more, I think there would be no problem, of course it's my point of view, but I opened this space since technically could a Cisco Router with SD WAN meet, against a Firepower? especially if we talk about a model like the C8500L-8S4X vs. Firepower 2120?
Think this
We currently have only one Firepower 2120 firewall where remote access VPNs and site-to-site VPNs end, plus perimeter security. I think it is not very robust to leave that equipment without thinking about having HA with two C8500L-8S4X with SDWAN... .
It's a design that doesn't make sense, so since we're going to have sdwan with 2 device in HA, so, why not move everything to that infrastructure? You end up having a single pane of glass for everything...
09-02-2023 08:18 PM
Performance router 8500L more powerful than firepower 2100 series but it different type of devices, of course you can use 8500 as Firewall but you won't have function as stateful failover and we don't know how many session can hava 8500L. My opinion if you can buy some devices use 8500L for sdwan border and fpr3105 for firewalls and ssl vpn
09-04-2023 08:22 AM
Answer is "depends".
If you have stateful firewall functionality (with zones) with few number of generic rules, then it is OK to do that.
But if your firewall does many job and it has different function (like URL& App filtering, NGIPS etc.), then it will be very difficult to manage such functions in C8K via vManage while you'd do it via FMC. Also, I don't aware how granular checks, event correlation you can do with C8K. You should check what function you run in existent FW and you want to run in C8K, what type of monitoring you do now and want to do, and decide which option is better.
For DC/ HQ I'd never go with such option, to be honest.
09-02-2023 08:21 PM
Some research about testing sdwan through different scenarios https://miercom.com/cisco-catalyst-8000-edge-platform-performance-in-emerging-sd-wan-use-cases/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide