Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
535
Views
0
Helpful
4
Replies

Centralised Firewall between Remote Branches

paul-giles
Level 1
Level 1

‎02-17-2009 06:21 AM

Hi - Please can anyone confirm if the following MPLS scenario is feasible.

I wish to have a number of sites (each in a different VRF) managed via a Firewall at a central site.

The proposal is for the central site CE to have each VRF passed to it via subinterfaces from the PE (no Multi-VRF CE implementation available). Each VRF is then offloaded to a second LAN interface where an external Firewall is attached which will restrict which remote sites can see who.

If the above scenario is possible are there any documents/design guidelines anywhere which show how the VRF's can be mapped to the Firewall i.e. dot1q trunk from the CE.

Thanks in advance.

Labels:
0 Helpful
4 Replies 4

shivlu jain
Level 5
Level 5

‎02-17-2009 07:05 AM

when the traffic will come it is the vpnv4 traffic but when forwarded to the firewall it should have the ip traffic and for reverese you need to provide the route. I have imlemented with FWSM in 7600. Kindly tell me are u also looking for the same.

regards

shivlu jain

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-17-2009 02:27 PM

Hello Paul,

a FWSM used in multicontext as explained by Shivlu is a common design sometimes called Network Based Security Managed Services.

In our customer networks we have implemented some of these security contexts to allow controlled access to domain services or other resources that are in the global routing table.

Using multiple external FWs is not practical and less scalable.

Hope to help

Giuseppe

0 Helpful

paul-giles
Level 1
Level 1
In response to Giuseppe Larosa

‎02-18-2009 03:37 AM

Thanks Giuseppe, but due to various reasons, we have to use an external non Cisco router.

Basically I need assistance in mapping the VRF's to VLANs through a non multi-VRF CE and onwards to an external attached Firewall (non VRF aware) which will perform inter-VPN routing.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to paul-giles

‎02-19-2009 03:00 AM

Hello Paul,

in this case I would consider to connect an 802.1Q trunk directly to the external firewall if the firewall supports 802.1Q subinterfaces.

the single CE in the middle can be reduced to a simple L2 LAN Switch.

on the firewall you can take advantage of setting the same security level to all 802.1Q subinterfaces:

this can avoid communication between the 802.1Q subinterfaces.

This is also a used setup for example ASA can support muliple 802.1Q subifs so this is handy.

then you can configure different ACLs for each interface to specify the rights.

It avoids to have the different VRFs to be able to communicate between each other.

Hope to help

Giuseppe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents