Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2064
Views
5
Helpful
6
Replies

Connecting ISP direct Core Switch

J4yM
Level 1
Level 1

‎02-25-2021 12:52 AM

Hi All,

 

Just looking for advise , pros vs cons about connecting an ISP internet feed directly to our core mpls/vpls switch.  

ISP Internet Router—>adva—>Core Switch(siteA)—>mpls/vpls—>Core Switch(siteB)—> Palo Alto

 

The PA firewall will have a separate VR and will nat traffic from 10.x LAN to Public before routing out to Internet via core.  

There is ospf routing on all cores and distribution switches connecting to cores as well as L2/L3 traffic from other sites.

 

Is this acceptable and what are the security concerns? 

Labels:
0 Helpful
6 Replies 6

Georg Pauwen
VIP
VIP

‎02-25-2021 01:41 AM

Hello,

 

typically, the firewall (Palo Alto in your case) should be placed as close to the Internet edge as possible, in order to do what a firewall is supposed to do, which is protect your network from external threats.

J4yM
Level 1
Level 1
In response to Georg Pauwen

‎02-25-2021 02:24 AM

Hello Georg,

 

Yes thats what I am being told but unfortunately its not possible to reduce hop count to firewall.  We are using centralised firewalls.

 

If I have a point to point static route to firewall is that not acceptable?

 

 

 

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎02-25-2021 02:54 AM

Its all depeds -  Do you have hig level network diagram, behind Palo alto - i am expecting your network will be behind Palo to prorect netwqork - Hope you have MACSEC can be configured to secure the Links of Layer 2

 

Some time this is acceptable of delivery, if no other Layer 2 or Layer 3 connections on this switch. if you have VLAN Segemented all traffic go via FW.

 

I have seen some kind of deployment, they do have restrictions, but as long as business accepts small/medium/big risk.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

J4yM
Level 1
Level 1
In response to balaji.bandi

‎02-25-2021 09:27 PM

Hi BB,

 

The Core that will be used for connecting the ISP link has inter-site connections to other sites.

 

We have no MACSEC I think that would be difficult to implement at this stage , I have never seen this implemented anywhere. 

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to J4yM

‎02-26-2021 02:11 AM

since you have VPLS from provider  - its all private cicuit only - That is only advice on top you like any Security MACsec can be added layer if you like.

 

Other than i do not see any issue here, since its it is standard use case.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

paul driver
VIP
VIP

‎02-25-2021 10:52 PM

Hello

if i understand- the interconnects between the isp and the FW is pure layer two - it just happens the traverse vpls correct?

if so i don’t see any issue with that.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card