12-06-2023 10:11 AM
Hello Everyone,
Greetings,
i have one query for the scenario that:
if my L3 VLAN are created on the core SW and then to the upstream all the VLAN traffic is routed towards the firewall with the default route then how i will configure the Service side VPNs.
LAN: Core SW ----default route ------> FW ------->LAN: Service side VPNs ????--> c-Edge
early response is highly appreciated.
Thanks,
Sushil
12-06-2023 10:19 AM
12-07-2023 12:57 PM
Hi,
so, you have multiple service side VPNs (different VRF) on router side. Like data, voice, guest etc.
Here, important question is how SVIs are configured on Core switch? Most probably you have different SVIs for different service (e.g data, voice, guest), thus different VRFs as well. But firewall does not support context (VRF) or you don't want to do.
In this case, you can have multiple interconnections between core and firewall, and also between firewall router. So called "VRF-lite". Firewall will not understand this, but you add each interconnection to different zone and block traffic between interconnections.
Example,
[Data SVI on core] Core switch [IR SVI for data]---[inside_data_zone] Firewall [outside_data_zone]---[service_side_interface_data] SDWAN_ROUTER
[Voice SVI on core] Core switch [IR SVI for voice]---[inside_voice_zone] Firewall [outside_voice_zone]---[service_side_interface_voice] SDWAN_ROUTER
For each service core's "left" and "right" side should be in the same VRF with default route pointing respective FW interconnection interface.
However, for each service firewall does not have VRF logic, you simple put each IR interface to different zone, block default any traffic and allow on certain per service (like from inside_data to outside_data).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide