cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
977
Views
0
Helpful
4
Replies

Question regarding this design

Noble
Level 1
Level 1

Hello,

 

I am no expert so my apologies if this question comes across as silly.  Please see the attached topology, it is a centralized model in which "Remote site A" and "Remote site B" connect to "HQ" via L2 extensions, and then connect to one another through HQ.  My question is, in this topology is it in any way possible for traffic from Remote A to Remote B (or vice versa) to traverse the firewall for inspection before forwarding off?  The way I see it, the router sits at the perimeter, terminates the connections to both sites and is essentially directly connected, therefore it would make the decision to forward the traffic directly.

 

Hopefully this makes sense.

 

Thanks,

 

 

4 Replies 4

Hello


@Noble wrote:

Hello,

 My question is, in this topology is it in any way possible for traffic from Remote A to Remote B (or vice versa) to traverse the firewall for inspection before forwarding off?  The way I see it, the router sits at the perimeter, terminates the connections to both sites and is essentially directly connected, therefore it would make the decision to forward the traffic directly.

You can have the Fw perform the routing for the two sites  As such each sites nexthop would be the FW then from the Fw you can apply you filters/rules criteria etc...


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

 

Thank you - unfortunately the topology is a little more complicated than depicted and the routers are necessary to make dynamic decisions should certain links fail (there is a redundant link between Remote A and Remote B that is only utilized if either of their primary links fail to HQ - as in they will flow through each other in order to reach HQ).  I really don't want to have the firewalls participating in dynamic routing (BGP peering with MPLS provider etc.), and would prefer to keep the routers at the perimeter, but I'm not sure if it's even possible due these concerns.

 

Thanks,

Hello

i guess then to better understanding of your topology a diagram would to good the view if applicable for you to share 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

 

Please see attached.

 

There is a L2 extension between Remote A and DC which acts as the primary link.

Remote A --> DC - across LANex

Remote A --> Internet - across LANex out from the DC

Remote A --> Remote B - across LANex to MPLS network

 

Remote B (and all other remote sites) connect via a provider MPLS network back to DC.

 

Remote A has a connection to the MPLS, but it is only used as a backup path should the LANex fail.  Secondly, if the MPLS link going towards the DC fails, then the remote sites will use Remote A's MPLS link + the LAN ex to reach DC.

 

There are dynamic routing decisions being made through BGP to the CE's and OSPF across the LANex.

 

In this situation, traffic from Remote A is able to reach Remote B without traversing the firewall, however we would hopefully like to have it do so as to not require a major topology change or break the existing routing.

 

Thanks,

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco