Edge Firewall Design

cancel
Showing results for 
Search instead for 
Did you mean: 

Edge Firewall Design

L4 Transporter

I am trying to design the edge firewall and core network currently and I have a core Layer not in a "stack" or "VSS" so they are independent Core switches. They are doing the routing to the private WAN, and will be doing the routing to the Edge Firewalls. ECMP requires a dynamic routing protocol which usually you wouldn't run on an edge firewall, you would just have the core set to default static route to the firewall. That being said not having a Stacked Core to operate as one, I would need each core switch connected to each firewall, so the paths are crossed. If I connect one core switch to one firewall and the other switch to the other firewall then a failure of the primary's firewall connected Core will fail the whole firewall pair over when they really didn't need to be. So I am interested in how others are designing their edge firewalls to the Internet?

 

Thoughts? Ideas? Caveats? 

11 REPLIES 11

I do the same with ASA's ;), aovoid them if I can. As for another A/P good thing. I used to upgrade a pair of 2050's years ago and I would VPN in with GP, upgrade the passive, reboot it, fail over, then upgrade and reboot the new passive without getting dropped from GP VPN.

Yes! Remote access for administration is criticial. I have a back door though on a cable modem connected to a PA500 for my "OOPS" moments. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!