Dynamic routing on firewalls.

Nicholas Oas nicholas.oas at gmail.com
Fri Feb 6 00:02:58 UTC 2015


A router behind the firewall is nice too.
It insulates the firewall from direct end-user traffic.
It also makes for a cleaner cutover from one firewall to another. (Instead
of the edge getting stuck ARPs their perspective of the network remains
unchanged.)
It also allows for stateless ACLs on both ends of the firewall.


On Thu, Feb 5, 2015 at 1:49 PM, Ralph J.Mayer <rmayer at nerd-residenz.de>
wrote:

> Hi David,
>
> a router is a router and a firewall is a firewall.
>
> Especially a Cisco ASA is no router, period.
>
> A router in front of the firewall is my choice, it also keeps broadcasts
> from the firewall + can do uRPF.
>
>
> rm



More information about the NANOG mailing list