This is for more general topics about networking and vendors.
5 posts • Page 1 of 1
Adam Ill use a firewall as an example but the same applies to other types of device - routing mode the device is seen as a next-hop along the path. So if you had a device with 2 interfaces in routed mode each interface would be in a separate subnet and the device would route packets between these subnets. transparent mode the device is not a L3 next-hop it is a "bump in the wire". Essentially if you have 2 interfaces then they are in the same subnet, although not the same vlan. The big pros for transparent mode is that the device can be inserted into a network with no need to change IP addressing and is in effect invisible to end devices such as PCs/servers. So if you had a vlan with servers in it and you suddenly had a requirement to firewall some of the servers from the other servers you can insert a transparent firewall without having to change any addressing on the servers. Transparent firewalls can also pass protocols other than IP. the main downside with transparent devices is that they are limited in the amount of interfaces you can have ie. you can only firewall between 2 interfaces. Note this limitation can be partly overcome with bridge groups on the FWSM but even then there is a limitation as to how many bridge groups can be used. In addition because they are a L2 device they cannot act as a L3 device in terms of routing etc. so a transparent firewall could not be an OSPF or EIGRP neighbor with another device. routed mode firewalls can support many more dmzs than transparent. They can participate as a routing peer, and i think they are more intuitive than L2 firewalls. But going back to the previous example if you needed to suddenly firewall within a vlan a routed firewall would mean readdressing some of the servers. Cisco has many examples of firewall configuration for both transparent and routed mode and documents that explain things in much more detail. The above is a very basic overview and there is a lot more that could be said. Where you interested in any specific device in particular ? Jon