Psy4HA
asked on
Utilize Firewall on ISR when you have an ASA
Hi, I have a couple of probably quick questions:
1. When enabling CBAC firewalls on an ISR, IE the 2911 how much of a performance impact would you likely see? How Can i ultimately tell if it is affecting my performance or adding latency? My CPU is not high but i don't i believe that should be the only measure.
2. My setup is as follows: Public Internet > Router > ASA > Internal Switch. At this point i have cbac enabled at the router as well as the ASA functioning as a firewall. Its a bit redundant but also complying with the "security in depth" model. If my performance can be increase by removing the firewall's at the router i think it maybe worth doing though and leaving all the firewalling to the ASA's which were designed to do that.
Thanks!
1. When enabling CBAC firewalls on an ISR, IE the 2911 how much of a performance impact would you likely see? How Can i ultimately tell if it is affecting my performance or adding latency? My CPU is not high but i don't i believe that should be the only measure.
2. My setup is as follows: Public Internet > Router > ASA > Internal Switch. At this point i have cbac enabled at the router as well as the ASA functioning as a firewall. Its a bit redundant but also complying with the "security in depth" model. If my performance can be increase by removing the firewall's at the router i think it maybe worth doing though and leaving all the firewalling to the ASA's which were designed to do that.
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yeah, as I stated. Use ACL's on the router to filter most traffic and then the traffic that is allowed in can be inspected by the ASA.
ASKER
Looks like a good plan.
ASKER