09-13-2012 04:05 PM - edited 03-03-2019 06:45 AM
Hello,
Need some help understanding concepts of VPLS and Multi-VRF.
We are in the process of implementing VPLS.
We have two main sites A&B and each site has smaller offices.
With the new VPLS cloud all the sites and offices are meshed and can connect to each other, where as before each of the smaller offices under each of respective sites A and B could not talk to each other and could only do this by explicit rules on firewalls between sites A & B that were connected using P2P circuits.
Ideally we want to improve security with VPLS solution and only allow VoIP traffic between smaller offices between A&B for now and look as other application connections later. Also Site A has no restrictions talking to its own smaller offices and same with site B.
Can we restrict access for smaller offices using Multi-VRF ? if so how ?
Would creating Vlans or use pseudo wire etc...with firewalls help ?
Any help appreciated.
09-14-2012 08:21 AM
Hello,
Your VPLS has similar idea of the point to pint link. except that the VPLS is intended for connecting sites in the same broadcast domain. (VPLS is a point to multipoint in nation), as part of its characterstics.
The Provider encapsulates Your Layer-2 traffic through the MPLS Backbone and creates a Tunnel (full mesh Tunnel between sites).
So, if you have two or multiple sites connected through VPLS, all of these sites are part of the Same Layer-2 domain.
Multi-VRF lite on the other side, is intended for segmenattion and path isolation within the entrprise network.
So, what I would advice as follows:
Your Firewalls at both Sites Can be placed at the WAN connecting between sits, use Multi-VRF lite in your internal LAN for both sites. this ensures segmentation and path isolation between the Small offices Locally.
On both Firewalls, you Can Only allow VOIP communication between Sites and add permissions as per your requirement.
HTH
Mohamed
09-14-2012 12:57 PM
All the smaller offices terminate to the same VPLS router at the data center in Site A and Site B respectively.
If a firewall was added it would have to be placed on the internal LAN.
The voice traffic from the smaller offices coming into Site A would then have to come into the VPLS and get forwarded to internal Firewall which would then get routed back out to Site B. This is the only place to have a firewall. I am just concerned that this may cause latency and slowness processing requests if everything goes via the firewall.
Do you know if this will be the case ?
I am new to Multi-VRF Lite so not sure how that would work on the Internal LAN. The smaller sites at Site A need to talk to each other and similarly with Site B their offices need to talk to each other. Some of the smaller offices would need to come into Data Center site A or B for Internet. File sharing would also be a requirement between smaller offices at Site A.
Also which firewall would you recommend for this ?
09-17-2012 01:48 AM
Hello,
If the Smaller Offices need to communicate in each site, then VRF-Lite wouldnt be sufficient here. A Local Switch doint Inter-Vlan routing is enough.
with your current requirement, yes, it would be good to place a FW in the LAN of each site, even if you dont have a L3 Switch locally to perform the Inter-Vlan routing between Offices, You Can then Leave this functionality to the Firewall, with right Access permition & (Security Level), a FW can do routing between your internal.
with regard to the Latency question, keep in mind that whenever you add any layer of Security, You decreases performance, this is because a Security device performs inspection for the traffic, this should be normal. if you for example add an Intrusion prevension , this will decreases the performance more. So the tighten the Security is , the lesser the performance. this is the right equation, but it become a necessary to sacrifice some what a little performance to protect your Network.
A recommended Firewall would be based on the throughput required, Concurrent TCP connections , and other factors.
To recommend a one, Let me know How many users do you have in your internal offices, How Much bandwidth do you have on the WAN, and do you have a plan to increase the number of sites on the WAN or have Plan for other offices to be added to your internal offices?
HTH
Mohamed
09-18-2012 06:21 AM
We have a total of 30 offices and half have about 50 users. Bandwidth will vary from 1Gig to 200Mb between Data Centers and 50Mb for major offices and 5Mb for smaller.
A1,A2,A3,A4------>| A Data Center |-----VPLS---------| B Data Center |<------------B1,B2,B3,B4....
09-18-2012 11:22 AM
Hello,
I would recommend (ASA 5515-x) according to your input.
check the below for more details:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700608.html
Regards,
Mohamed
09-18-2012 01:17 PM
Hi,
In terms of Vlans how best to segment.
One vlan for each circuit Primary/Backup Site A to Site B and one vlan for Site A smaller offices and another for Site B offices.
In total 4 Vlans ?
09-18-2012 09:07 PM
Hi,
Yes, thats would do it. However, for the internal offices at each site, You make sure the internal VLAN doesnt exceed 100 hosts as a best practise. reducing the broadcast on the LAN is important. So if you have more than this number, you can use another VLAN and still both Vlans will be able to communicate locally.
Regards,
Mohamed
09-25-2012 11:51 AM
Hi Mohamed,
Thank you for your input on this.
We are currently using Cisco ASR 1002 Routers for DCs and Cisco 3925 for smaller offices.
In reference to firewalls are Palo Alto good enough ?
Aside of this if we have site-to-site VPNs are ASA 5505 sufficient for connecting 100 users ? or will it struggle ?
09-25-2012 12:35 PM
Hello,
I dont have experience with Palo Alto, but what I have read and seen about its performance, it has good reputation in the market place, it actually combines multiple security functions and some people reported well performance.
For the Cisco ASA, I would definitely say NO with ASA 5505, with such amount of users and Site to Site Tunnels, it has limited number of VPN S-to-S sessions and has a maximum of 100 Mbps VPN Throughput. It will struggle with your current setup. However, I would say you Can look for ASA - 5520 , more powerful with added resources , throughput...etc
Regards,
Mohamed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide