[c-nsp] Campus Network - Deployment mode of Perimeter Firewalls

Nick Hilliard nick at foobar.org
Mon Aug 10 15:41:10 EDT 2020

Yham wrote on 10/08/2020 19:53:
> Hello Gentlemen,
> We are redesigning the core network where we have
> - Edge routers peering BGP with internet providers and partners
> - Perimeter firewalls to secure north-south traffic

Unless there's a specific policy objective which overrides any technical 
consideration, you may want to consider not putting firewalls inline 
like this, as they often introduce serious failure modes which are 
difficult to work around.  Best case in a service provider environment, 
they should service only the addresses which need to be firewalled and 
should not be used as the default configuration for all traffic.

> I wanted to ask if there are the best practices when deploying the
> perimeter firewalls?

> Is Active/Active is better than Active/Standby HA model?

No, active/active is troublesome - you end up sharing state between 
multiple systems, which introduces complexity and potential for failure. 
  Active/standby also keeps you honest by ensuring that you end up with 

> Is a pair of Firewalls in Routed mode performs better than in
> Transparent/Layer2 mode?

you lose features in transparent mode, e.g. routing and a bunch of 
others.  There's no compelling reason to use it for most situations.

> Regarding Firewalls mode, I know you can't use some firewall features (such
> as VPN, NAT etc) when in layer2 mode however in some Next-Gen firewalls,
> you can make certain pair of interfaces transparent to your upstream and
> downstream and another pair of interfaces in layer3 mode for VPN, NAT etc.
> Any comments, please?

Keep as much traffic away from firewalls as possible.  Keep your 
configuration as simple as possible (this takes time and effort).  If 
you're using Juniper firewalls, keep each customer in an apply-group.


More information about the cisco-nsp mailing list