Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Routing Mode vs Transparent Mode?

Hi,

There's not much information that can be found on the internet regarding this topic. I would appreciate if anyone can share the similarities and differences between these two mode, the pro and cons and example of them.

Thanks in advance

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Routing Mode vs Transparent Mode?

Adam

I'll use a firewall as an example but the same applies to other types of device -

routing mode the device is seen as a next-hop along the path. So if you had a device with 2 interfaces in routed mode each interface would be in a separate subnet and the device would route packets between these subnets.

transparent mode the device is not a L3 next-hop it is a "bump in the wire". Essentially if you have 2 interfaces then they are in the same subnet, although not the same vlan.

The big pros for transparent mode is that the device can be inserted into a network with no need to change IP addressing and is in effect invisible to end devices such as PCs/servers. So if you had a vlan with servers in it and you suddenly had a requirement to firewall some of the servers from the other servers you can insert a transparent firewall without having to change any addressing on the servers.

Transparent firewalls can also pass protocols other than IP.

the main downside with transparent devices is that they are limited in the amount of interfaces you can have ie. you can only firewall between 2 interfaces. Note this limitation can be partly overcome with bridge groups on the FWSM but even then there is a limitation as to how many bridge groups can be used. In addition because they are a L2 device they cannot act as a L3 device in terms of routing etc. so a transparent firewall could not be an OSPF or EIGRP neighbor with another device.

routed mode firewalls can support many more dmzs than transparent. They can participate as a routing peer, and i think they are more intuitive than L2 firewalls. But going back to the previous example if you needed to suddenly firewall within a vlan a routed firewall would mean readdressing some of the servers.

Cisco has many examples of firewall configuration for both transparent and routed mode and documents that explain things in much more detail. The above is a very basic overview and there is a lot more that could be said. Where you interested in any specific device in particular ?

Jon

4 REPLIES
Hall of Fame Super Blue

Re: Routing Mode vs Transparent Mode?

Adam

I'll use a firewall as an example but the same applies to other types of device -

routing mode the device is seen as a next-hop along the path. So if you had a device with 2 interfaces in routed mode each interface would be in a separate subnet and the device would route packets between these subnets.

transparent mode the device is not a L3 next-hop it is a "bump in the wire". Essentially if you have 2 interfaces then they are in the same subnet, although not the same vlan.

The big pros for transparent mode is that the device can be inserted into a network with no need to change IP addressing and is in effect invisible to end devices such as PCs/servers. So if you had a vlan with servers in it and you suddenly had a requirement to firewall some of the servers from the other servers you can insert a transparent firewall without having to change any addressing on the servers.

Transparent firewalls can also pass protocols other than IP.

the main downside with transparent devices is that they are limited in the amount of interfaces you can have ie. you can only firewall between 2 interfaces. Note this limitation can be partly overcome with bridge groups on the FWSM but even then there is a limitation as to how many bridge groups can be used. In addition because they are a L2 device they cannot act as a L3 device in terms of routing etc. so a transparent firewall could not be an OSPF or EIGRP neighbor with another device.

routed mode firewalls can support many more dmzs than transparent. They can participate as a routing peer, and i think they are more intuitive than L2 firewalls. But going back to the previous example if you needed to suddenly firewall within a vlan a routed firewall would mean readdressing some of the servers.

Cisco has many examples of firewall configuration for both transparent and routed mode and documents that explain things in much more detail. The above is a very basic overview and there is a lot more that could be said. Where you interested in any specific device in particular ?

Jon

Cisco Employee

Re: Routing Mode vs Transparent Mode?

Perfect description, Jon..

Hall of Fame Super Blue

Re: Routing Mode vs Transparent Mode?

Many thanks for the compliment and the rating.

Jon

New Member

I'm goink through the ASA

I'm going through the ASA 5505 documentation and found this answer googling for an explanation about the difference between modes.  This answer helped me especially as an example was given for why you would use transparent mode.   I'm no expert so my rating is not a technical rating but I personally found the explanation to be clear and concise and it helped me.

9047
Views
24
Helpful
4
Replies
CreatePlease to create content