With FIAB, you can test redundancy by having a stack of switches, logically a single entity for FIAB function.
At time of scale out with separate Border/CP devices in pair, you need to add these devices one by one and remove FIAB. Since every customer network is different, you need to look in the services, wired/wireless access etc.
There will be downtime. To get better guidance when you are up for migrate in a production you can reach out to email@example.com with details of your setup.
... View more
The problem here lays to inspection that ZBFW offers. So you can use ACL`s. In case you need to implement inspection to your network and the device supports this only via ZBFW, then you have to configure separate class maps for UDP Ports and link this to policy maps by applying action PASS. This will introduce the requirement for you to configure both way rules since reverse traffic will not be allowed by default. According to your configuration, I suggest the following modifications :
class-map type inspect match-all CUBE_TO_OUTSIDE description --All incoming RTP Traffic-- match access-group name CUBE_TO_OUTSIDE class-map type inspect match-all OUTSIDE_TO_CUBE description --Allow outgoing RTP Traffic-- match access-group name OUTSIDE_TO_CUBE class-map type inspect match-any SIP-TRAFFIC description --All SIP Traffic-- match protocol sip class-map type inspect match-all ICMP_Allow_CMAP description --Allow ICMP Traffic-- match access-group name ICMP_Allow_ACL ! ! Order within PMAP is significant policy-map type inspect VOICE-TRAFFIC-IN class type inspect CUBE_TO_OUTSIDE pass class type inspect SIP-TRAFFIC inspect class type inspect ICMP_Allow_CMAP inspect class class-default drop log ! policy-map type inspect VOICE-TRAFFIC-OUT class type inspect CUBE_TO_OUTSIDE pass class type inspect SIP-TRAFFIC inspect class type inspect ICMP_Allow_CMAP inspect class class-default drop log ! zone security INSIDE zone security OUTSIDE zone-pair security CUBE_TO_OUTSIDE_ZP source self destination OUTSIDE service-policy type inspect VOICE-TRAFFIC-OUT zone-pair security OUTSIDE_TO_CUBE_ZP source OUTSIDE destination self service-policy type inspect VOICE-TRAFFIC-IN ip access-list extended CUBE_TO_OUTSIDE permit udp [CUBE_Subnet] range 16384 32767 [ISP_Subnet] range 16384 32767 ip access-list extended OUTSIDE_TO_CUBE permit udp [ISP_Subnet] range 16384 32767 [CUBE_Subnet] range 16384 32767
... View more