Firewall with Fiber Connectivity

avilt · ‎02-12-2014

I have 4 remote fiber links terminated on the main floor. Is is possbile to terminate this links directly on the firewall?

Exampls, 4 floors, each with a L2 switch, single vlan. From each floor, a fibre link is connected to the main floor. On the main floor I would like to terminate these links on a firewall. Is there such a firewall model to implement this setup?

ROBERT WATSON · ‎02-12-2014

Any of the Midrange ASA firewalls 5512-55 have an expansion module that will accept up to 6 SFP ports to terminate fiber.

From the sounds of it you may be better satisfied by a stack of say (2) 3650's where you can run a multichassis Etherchannel to each floor limiting your fault domain to individual device and fiber interconnect and the port channel the stack to a FW instead. In a 2960 or 3650 aggregation design, you can terminate up to 8 SFP connections in a two switch stack.

This would give you better capacity and resilience than going for the IO expansion route in the ASA itself.

Marvin Rhoads · ‎02-13-2014

To add to Robert's good suggestion I would add that your question seems to imply that each floor VLAN default 3 gateway would be on the firewall. This would not be a best practice.

You would typically have a lot of traffic local to the campus that has no need to go via the firewall for any security policy enforcement. Using firewall insterfaces and bandwidth for that sort of thing is usually not a wise investment of recourses.