The question is about layers of security to implement MPLS link.
Today my MPLS link are terminanting on Border Routers that are performing BGP Single Multi-homed as well.
After this Border Router I have the Firewall performing external NAT and External filtering only and fowarding the traffic via Switch core to Internal Firewall that perform all internal filtering.
So, the communication is in the bellow way: internet > border-router > external-firewall > core-switch > internal-firewall
The security team is asking us about external-firewall role that only performs external filtering and can't perform the routing by yours.
In this way the traffic would be through> internet > border-router > core-switch > internal-firewall.
My point is, whats the best place and recomendation to this case?
Are there some document/recomendation, best practice design to this scenario?
Thank you in advance.