Hi, could someone please explain what are the advantages of trunking to the firewall. I am referring to a stand alone hardware firewall and not a FWSM module. The reason for this question is that it seems many folks are using this method to basically use the firewall as a default gateway for services however it seems that this might be more of a administrative burden for the firewall administrator.
The obvious benefits are that since traffic from your hosts goes to teh firewall to route as it is the default gateway you can explicitly permit/deny.
As opposed to when the default gateway is on the switch than to prevent inter-vlan traffic you have to configure ACL's.
Besides the above mentioned I cannot seem to understand any other benefits and would appreciate if someone could possibly point out some more benefits as well as give a small design scenario where this might be used. Thx
Thx for your response. I do have a few questions as I cannot seem to think why this design would be deployed. Thx for helping
Is this design considered best practice? If cost is a reason why not make the outside switch an L3 switch(most switches deployed on the outside are capable of L3). Connect the firewall to an access port in the same vlan as the switch. All the outside vendors connect to the switch in their own vlan's and those vlan's terminate on the switch. Let the L3 switch handles the routing towards the firewall.
It seems moving the routing functionality to the firewall is just shifting the responsibility on the firewall. Will the firewall run a routing protocol with external vendors directly? I can see why this might be deployed in a high security environment but that would be it.
One more question. Why would a design be deployed in which the outside switch is limited to a L2. Are there any benefits to doing it this way?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :