Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 552
  • Last Modified:

Utilize Firewall on ISR when you have an ASA

Hi, I have a couple of probably quick questions:
1. When enabling CBAC firewalls on an ISR, IE the 2911 how much of a performance impact would you likely see? How Can i ultimately tell if it is affecting my performance or adding latency? My CPU is not high but i don't i believe that should be the only measure.

2. My setup is as follows: Public Internet > Router > ASA  > Internal Switch. At this point i have cbac enabled at the router as well as the ASA functioning as a firewall. Its a bit redundant but also complying with the "security in depth" model. If my performance can be increase by removing the firewall's at the router i think it maybe worth doing though and leaving all the firewalling to the ASA's which were designed to do that.

Thanks!
0
Psy4HA
Asked:
Psy4HA
  • 2
  • 2
2 Solutions
 
SouljaCommented:
The impact of the CBAC on the router is really determined by how much traffic it has to actually inspect.  Cisco says that CBAC used 600bytes of memory per connection so you may want to take that in consideration. If  multi-tiered firewall is what you have to have I would probably put another ASA in the mix and just let the route do what it does best and route.

If you don't need mult-tier than just restrict as much traffic by ACL at the router and then any traffic that is allow is then inspected.
0
 
Marius GunnerudSenior Systems EngineerCommented:
I would suggest removing CBAC from the router and let the ASA do its intended job.
0
 
Psy4HAAuthor Commented:
Ok I should prolly tremove CBAC and implement control plane protection to protect router itself. Also thinking of adding an acl to public interfaces that permit all traffic but maybe only allow ssh from known Ips? If I add acl I think it's still cef switched and wouldn't add any load as I wouldn't needed inspection. Or maybe I do this all through cppr? Thanks all.
0
 
SouljaCommented:
Yeah, as I stated. Use ACL's on the router to filter most traffic and then the traffic that is allowed in can be inspected by the ASA.
0
 
Psy4HAAuthor Commented:
Looks like a good plan.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now