Centralised Firewall between Remote Branches

Unanswered Question
Feb 17th, 2009

Hi - Please can anyone confirm if the following MPLS scenario is feasible.

I wish to have a number of sites (each in a different VRF) managed via a Firewall at a central site.

The proposal is for the central site CE to have each VRF passed to it via subinterfaces from the PE (no Multi-VRF CE implementation available). Each VRF is then offloaded to a second LAN interface where an external Firewall is attached which will restrict which remote sites can see who.

If the above scenario is possible are there any documents/design guidelines anywhere which show how the VRF's can be mapped to the Firewall i.e. dot1q trunk from the CE.

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
shivlu jain Tue, 02/17/2009 - 07:05

when the traffic will come it is the vpnv4 traffic but when forwarded to the firewall it should have the ip traffic and for reverese you need to provide the route. I have imlemented with FWSM in 7600. Kindly tell me are u also looking for the same.


shivlu jain

Giuseppe Larosa Tue, 02/17/2009 - 14:27

Hello Paul,

a FWSM used in multicontext as explained by Shivlu is a common design sometimes called Network Based Security Managed Services.

In our customer networks we have implemented some of these security contexts to allow controlled access to domain services or other resources that are in the global routing table.

Using multiple external FWs is not practical and less scalable.

Hope to help


paul-giles Wed, 02/18/2009 - 03:37

Thanks Giuseppe, but due to various reasons, we have to use an external non Cisco router.

Basically I need assistance in mapping the VRF's to VLANs through a non multi-VRF CE and onwards to an external attached Firewall (non VRF aware) which will perform inter-VPN routing.

Giuseppe Larosa Thu, 02/19/2009 - 03:00

Hello Paul,

in this case I would consider to connect an 802.1Q trunk directly to the external firewall if the firewall supports 802.1Q subinterfaces.

the single CE in the middle can be reduced to a simple L2 LAN Switch.

on the firewall you can take advantage of setting the same security level to all 802.1Q subinterfaces:

this can avoid communication between the 802.1Q subinterfaces.

This is also a used setup for example ASA can support muliple 802.1Q subifs so this is handy.

then you can configure different ACLs for each interface to specify the rights.

It avoids to have the different VRFs to be able to communicate between each other.

Hope to help



This Discussion