Choose one of the topics below for SD-WAN Resources to help you on your journey with SD-WAN
This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Hello All,
Our Company (Company A) recently acquired another company (Company B). I am responsible to come up with a design solution for the merger process. Company A is using MPLS network with all the sites and has Checkpoint firewall solutions in place. Company B is mostly connected using IPSec VPNs and has a mix firewall solutions (Sonicwall, ISA, ASA, Mikrotik etc). The ideal and the desired solution is to connect the many sites of Company B using SD-WAN. However, I am not very experienced with the merger process and this is first of a kind task for me. Hence, I need a lot of help from you guys.
Can you please tell me how should I proceed? What is a good SD-WAN solution? Is it possible to connect MPLS network and SD-WAN network? Which firewall solutions should be implemented in the merger? Please also share any other important point which I should keep in mind.
Regards!
Solved! Go to Solution.
Cisco Meraki is particularly good for this - but it would mean putting an MX into every site ...
https://meraki.cisco.com/products/appliances
It can support both MPLS and Internet based VPN using SDN at the same time.
The two major methods of deploying in your scenario are:
https://documentation.meraki.com/MX-Z/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN
https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS
For the Internet only sites using VPN you would use AutoVPN:
https://meraki.cisco.com/technologies/auto-vpn
You should get a Cisco partner involved for a project of this complexity.
Cisco Meraki is particularly good for this - but it would mean putting an MX into every site ...
https://meraki.cisco.com/products/appliances
It can support both MPLS and Internet based VPN using SDN at the same time.
The two major methods of deploying in your scenario are:
https://documentation.meraki.com/MX-Z/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN
https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS
For the Internet only sites using VPN you would use AutoVPN:
https://meraki.cisco.com/technologies/auto-vpn
You should get a Cisco partner involved for a project of this complexity.
Thank you for your reply. I have one question regarding the Cisco Meraki MX. If I use, for instance, MX100 at the network edge, will it be able to perform all the FW/IPS/AV etc or should I have a Layer 3 switch below it?
Use a layer 3 switch if you need wire rate forwarding of traffic between VLANs. If you don't need this then you can do any routing on the MX.
Ok. One more thing, Can the firewall capabilities of MX devices match ASA or Checkpoint standards? My company is currently using Checkpoint (2200, 4200) so it will be a hard sell to go against that for new locations.
Hi
Cisco iWan solution could be fit:
https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Apr2017/CVD-IWANDeployment-APR17.pdf
As Philip said, Meraki as well is perfect fit.
As you'll need to have a device on each location, Meraki solution will be cheaper.
In terms of firewall, i would go with FTD on firepower or ASA appliances. The exact model will based on your needs.
Thank you for your reply.
What should be the key selection point in this case while selecting a firewall? MX devices are capable of stateful firewall as well, why not use that?