Solved: Firewall Instead of Router

ankitohc · ‎08-11-2023

In my company, we have a firewall instead of routers, and the firewall does everything as a router. Is it really good practice? or do we really need routers? As we know every device has its own features.. Just asking. BTW we also have multiple sites connected to to each other...

I am learning CCNA so just asking.

Joseph W. Doherty · ‎08-11-2023

As @Flavio Miranda already mentioned, it's an "it depends".

". . . the firewall does everything as a router."

Probably not, although might be true for your company's needs.

"Is it really good practice?"

Neither good nor bad, IMO, but when you connect to the Internet, often having something that allows you control over what goes in and out, that's, generally, a good practice.

". . . do we really need routers?"

Again, that's an "it depends". Do you really need FWs (as Cisco routers often can do FW like functions, especially if running an IOS with FW features)?

"As we know every device has its own features."

Indeed they often do. But, perhaps even more common, there's often much overlap in features too! Sometimes it's a question of what "features" they do "better".

For example, many basic FWs that support dynamic routing, might only support RIPv1. They might also support RIPv2 and/or OSPFv2/OSPFv3. Less likely to support BGP or IS-IS, and very, very unlikely to support EIGRP.

FWs may not have much in QoS features.

So to recap, you might get by with a FW also doing routing, or a router doing FW, or have both devices, to leverage what each does best.

BTW, your question (also BTW, nothing wrong with the question) is much like asking: I'm using a L3 switch where others say they use a router, or the converse, or where others use both. Is using just a L3 switch a good practice?

Basically, again, another "it depends", along with each has unique features, overlapping features, and where there's overlap, might do some of them "better" than the other device kind.

Lastly, you seem a bit embarrassed to ask this question. Don't be. We all were there at one time, and asking is a good way to learn.

Although, if there were a CCIE tag next to your name, I might wonder, or think huh? ; )

View solution in original post

Flavio Miranda · ‎08-11-2023

Hi @ankitohc

It depends. Firewalls is able to do routing so they can replace router just fine. Of course each device have its own expertise but companies can adapt in order to reduce cost . Firewall can handle NAT, they are usually connect to the ISP, most of time they support vlans. Sometimes it is all a company needs.

However, if the network complexity grow up too much, then they need to consider using a router instead.

Joseph W. Doherty · ‎08-11-2023

As @Flavio Miranda already mentioned, it's an "it depends".

". . . the firewall does everything as a router."

Probably not, although might be true for your company's needs.

"Is it really good practice?"

Neither good nor bad, IMO, but when you connect to the Internet, often having something that allows you control over what goes in and out, that's, generally, a good practice.

". . . do we really need routers?"

Again, that's an "it depends". Do you really need FWs (as Cisco routers often can do FW like functions, especially if running an IOS with FW features)?

"As we know every device has its own features."

Indeed they often do. But, perhaps even more common, there's often much overlap in features too! Sometimes it's a question of what "features" they do "better".

For example, many basic FWs that support dynamic routing, might only support RIPv1. They might also support RIPv2 and/or OSPFv2/OSPFv3. Less likely to support BGP or IS-IS, and very, very unlikely to support EIGRP.

FWs may not have much in QoS features.

So to recap, you might get by with a FW also doing routing, or a router doing FW, or have both devices, to leverage what each does best.

BTW, your question (also BTW, nothing wrong with the question) is much like asking: I'm using a L3 switch where others say they use a router, or the converse, or where others use both. Is using just a L3 switch a good practice?

Basically, again, another "it depends", along with each has unique features, overlapping features, and where there's overlap, might do some of them "better" than the other device kind.

Lastly, you seem a bit embarrassed to ask this question. Don't be. We all were there at one time, and asking is a good way to learn.

Although, if there were a CCIE tag next to your name, I might wonder, or think huh? ; )

M02@rt37 · ‎08-12-2023

Hello @ankitohc,

There's one rule:

An equipment is specialized for what it was designed for.

BUT

Using a firewall to perform routing functions is a common practice, especially in smaller or more cost-conscious environments. Firewalls with routing capabilities can handle traffic routing between different network segments and provide security features like access control and packet filtering at the same time.

However, whether using a firewall for routing is a "good practice" depends on several factors:

Functionality: Firewalls are designed primarily for security functions. While they can route traffic, they might lack some advanced routing features that dedicated routers offer. For basic routing needs, a firewall can suffice, but for complex networks or specific requirements, dedicated routers might be more suitable.

Performance: Firewalls often have additional processing overhead due to security features like deep packet inspection, VPN encryption, and more. This might impact their routing performance, especially if handling high volumes of traffic.

Scalability: As your network grows, the complexity of routing might increase. Dedicated routers often have better scalability features and can handle larger networks more efficiently.

Also, some industries or situations might require specialized routers to meet certain regulatory or compliance requirements.

For multiple sites connected to each other, a combination of firewall and router functionality might be a good approach. You could use firewalls to enforce security policies and ensure traffic integrity while utilizing routers to efficiently handle the routing functions.

Advice:

In your CCNA studies, you'll learn about both firewalls and routers, their features, and how they fit into network architectures. Understanding their strengths and weaknesses will help you make informed decisions when designing and managing networks in the future.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Richard Burts · ‎08-12-2023

@ankitohc most network devices have some things that they are really good at and some other things that they can do but not especially well. Firewalls are really good at security policies, they are ok but not especially good at routing.

Asking about Best Practice can be a bit tricky because frequently the real answer depends on questions about scale. If you were a large organization with a complex network then clearly the Best Practice would be to use routers to route and to use firewalls for security policy. But if you are a small organization with some small sites you may not want to afford both routers and firewalls (economic reality check) and it is ok to have firewalls to do both functions.

HTH

Rick