In a full redundant environemnt, i.e. two gateway routers, two cores, two distributions, we would like to put two FWSM on two cores in transparent mode, while the outbound traffic might take left-hand side dist-core-gateway while the inbound response traffic might take right-hand side gateway-core-dist, since they have at least two equal-eigrp-cost routes, how can we configure / deploy FWSMs to fit in this environment, we do not want to loose redundancy and diversity.
I am not sure it would work in our topology, becuase our network infrastructure is somethig like Figure 15-2, we have two gateway rotuers (all active and run eBGP with our ISPs). It's very likely the outbound traffic would take left-hand gear and while inbound traffic come back through another ISP and take right-hand gear. what would be better design?
Your current network has 4 IP subnets between core switch and gateway router. You need to redesign your network so that only one IP subnet is available between core switch and gateway router in order to deploy transparent firewall. The transparent firewall is inserted into single IP subnet and this design will eliminate asymmetric routing problem.
thanks for your reply, it is not a problem to redesign our network, to consolidate into one VLAN between Core- and Gateway-, but back to square one, still, the outbound traffic would take left-hand side while inbound traffic comes back would take right-hand side due to the two equal-cost EIGRP routes, this asymmetric behavior would break the connection, how can I solve this issue? thanks again.
You should deploy transparent firewall in failover mode (active/standby). All traffic from core switches to gateway routers (and vice-versa) will pass through the active transparent firewall because firewall is performing bridging between gateway vlan & core vlan. Please refer to following example:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :