Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
581
Views
1
Helpful
5
Replies

About Configuring Stateful Firewall on Catalyst9300X

Translator
Community Manager
Community Manager

‎06-11-2025 08:26 PM

I want to run a stateful firewall on two stacked Catalyst9300X.

Reference: Stateful Firewall on Cisco Catalyst 9300 Series Switches - Stateful Firewall on Cisco Catalyst 9300 Series Switches [Cisco IOS XE 17] - Cisco

 

Is the following configuration possible with the above equipment?

The ASAc provides only firewall functions, the C9300X on the external network side is BGP, and the internal network is assumed to be static routing.

[Configuration]

C9300X <—> ASAc <—> C9300X

※ The above is a physical configuration within the C9300X.

 

[Image]

yansan_1-1749693817874.png

Thank you.

 

0 Helpful
5 Replies 5

Azizi123
Level 1
Level 1

‎06-15-2025 02:38 AM

Yes, your proposed configuration is technically possible using stacked Catalyst 9300X switches, provided that you are leveraging Cisco IOS XE 17.7 or later and have the necessary licenses (such as network advantage, securityk9, and app-hosting). In this setup, one C9300X switch handles external BGP routing, traffic is passed through an ASAc (which can be a virtual ASA hosted inside the Catalyst 9300X via the App Hosting feature), and then forwarded to the second C9300X using static routing for internal network access. This configuration allows for a stateful firewall function either directly on the switch using zone-based firewall (ZBFW) or through the hosted ASAv, with proper VLAN/interface segmentation and routing to ensure all traffic is inspected. However, care must be taken to design the L2/L3 topology correctly to avoid bypassing the firewall and to ensure service chaining works as intended.

0 Helpful

Translator
Community Manager
Community Manager
In response to Azizi123

‎06-19-2025 07:40 PM

Thank you for your instruction.

With the above configuration, is it common to configure VLANs for ASA inside/outside?

0 Helpful

wajidhassan
Level 3
Level 3
In response to Azizi123

‎06-20-2025 03:32 AM

Yes, your setup is possible and should work fine. The two stacked C9300X switches can route traffic, with BGP on the external side and static routes internally. The ASA will handle all firewall duties in the middle. Just make sure routing is correct and VLANs/interfaces are properly configured. No need to use the C9300X's built-in firewall if ASA is handling it.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎06-19-2025 10:31 PM

The question is not about "is this possible" but, rather, WHY?

Why put all the proverbial eggs in one basket?  IOS-XE is not stable enough to support a switch let alone a switch with an ASA on top.  

Translator
Community Manager
Community Manager

‎06-23-2025 03:59 AM

Thank you very much!

VRF is used to control the internal and external, but is it necessary to configure VRF between the ASA and the internal L3/external L3 as well?

0 Helpful
Customers Also Viewed These Support Documents