I am working on a project where we need to implement a FW on a PE Router as a Managed FW for our corporate users.
The proposed design is as follows:
1. On the FW Side:
a. The FW will be deployed in off-path mode where the customer VLAN will be assigned to the same inside interface of the FW (e.g. VLAN 10) and the outside FW interface will be assigned to a different VLAN (e.g. VLAN 110)
b. the PE will be the default GW for the FW
2. On CE the default GW is the FW inside interface
3. On the PE side:
a. VLANs 10 and 110 will be created
b. CE and FW inside will be assigned to VLAN 10
c. VLAN 110 will be assigned to the customer VRF
d. Static Router pointing to the customer VLAN through the FW outside interface will be made
The main issue is that the PE is currently configured such that sub-interfaces are assigned to VRF which gives 4000 VLAN per interface however if we go with the design described above we will be limiting ourselves to 4000 VLAN globally which is something we cannot afford.
Would you please advise or recommend any design that could help us implement the FW without losing VLAN capability on the PE.
Attached is the HLD for your ref.
Appreciate your feedback.