This is normal set up for small-medium sized organizations.In this scenario- normally ISP will use one of the assigned public IP as the gateway IP (router ip) and rest will be for yours. You may see a switch between customer FW and ISP router, so that you can add more perimeter devices with public IP. Incase of only 2usable public IPs, no need to have any switch though.
Pro: Simple to manage. Add a default route on your FW and have proper scecurity rules- all set to go.
Con: Single point of failure.
but this is a strange design,FW than Router , what i have seen in my life carrier is edge router then firewall not firewall then edge router, have u seen this type of desigh before?what is the difference in term of a logic setup?
First thing there is only one link to the ISP. which means there is no high availibility. you need to have multihoming.
secondly you right that normally the edge router peers with the SP and you have FW behind it. But the FW can also peer with the SP as it can do some basic routing like static route, etc. The logic here from a simplistic perspective is to allow very strict security and nothing passes the FW. If you have the edge router then its vulnerable to attacks etc. as its not that secure. if you knnow what i mean. other than that i dont see anything out of the blue to have such a setup
In yoyr topology you have to connect two separate networks, the enterpise and the ISP; the function of the
device on the edge will primarily be that of a router than a Firewall.
A router it's a device designed to route packets, meanwhile a firewall it's designed to filter traffic.
Moreover, a router has normally interfaces that a firewall does not have. It's hard to find a firewall with ATM or Serial interfaces to connect it to the WAN. So, in such cases you'll need a router before the firewall to connect your network to the ISP.
Hope that helps,
Hi Vasilis , hi kishore
agree with Vasilieos, can y pls elaborate more!
your comments, is it a strange design FW then Edge !!! do y agree?i have not seen this design before!is this a best practice?
I agree Ibrahim that this design is not so common due to the limitations described above.
(Difficulties to multihome environment with ISP due to routing limitations of FWL, limitations of FWL to QoS in compare to the Router, WAN interface type limitations etc). On the other hand the main advantage of the FWL to the EDGE is that the router is not directly exposed to the WEB and so attacks e.g. DoS can be filtered by the FWL.
Finally you should take into account future needs of the customer...maybe now is just a router and FWL but in the future the customer could request redundant links or routers and this required advanced routing mechanisms that you can not achieve with a FWL.
Hope that helps!
thanks you deserve another 5 points from me,thanks cisco for this valuable forum
exciting topic BGP With 3 Links, pls participate