Hello Gentlemen, We are redesigning the core network where we have - Edge routers peering BGP with internet providers and partners - Perimeter firewalls to secure north-south traffic - High-end core switches where all distribution switches connect.
logical diagram: Internet providers/partners -> Edge routers -> Firewalls -> Core switches -> Distribution/Access switches We plan to use BGP(with bfd) from distribution all the way up to Edge routers and core network has to be highly available. I wanted to ask if there are the best practices when deploying the perimeter firewalls? Is Active/Active is better than Active/Standby HA model? Is a pair of Firewalls in Routed mode performs better than in Transparent/Layer2 mode? My thoughts On a pair of firewalls in Active/Active mode, 1) both uplinks/downlinks can be utilized with ECMP but I don't understand why its consider an advantage because regardless of having both links active, you can't oversubscribe because you want to make sure there is no impact when one of the firewalls goes down. 2) In fact, I could be wrong but i think A/A creates asymmetric flows that are difficult to troubleshoot. 3) however with A/A, I think the convergence can be faster depending on the underlying routing Regarding Firewalls mode, I know you can't use some firewall features (such as VPN, NAT etc) when in layer2 mode however in some Next-Gen firewalls, you can make certain pair of interfaces transparent to your upstream and downstream and another pair of interfaces in layer3 mode for VPN, NAT etc. Any comments, please? If you know of any good document on this very topic, please share it with me. Thanks Yham _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/