cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3052
Views
2
Helpful
14
Replies

SD-WAN design Firewall integration

mikhailov.ivan
Level 1
Level 1

Hello colleagues! I would like to discuss or ask about SD-wan design and a Firewall (NGFW) integration. First of all - I didn't find anything particular. So, I have a simple design for a customer with SD-wan and c\v Edges Cat8K, we will have a couple of C8K routers per site , couple of C9300 switches behind and here is the problem. They would like to leverage some simple things like dst Nat (Port forwarding) or of course some security things like AV, IPS etc. and also for making  filtering between VRFs or VPNs. Firewalls will be a 3rd party popular vendor , but none Cisco and I am warry about how to connect the C8k routers with the FW by more "elegant" way. I see the schema like let's simplify: The ISP is plugged directly to a FW's port when it's connected to the C8K and further we have C9k sw like behind. The question is:
How to configure the link between FW and cEdge? Do I have to use VRF-lite only ? Is there only one way ? I would like to avoid configuring 1000+ VRF lite links even via a .1q trunk. Can I use something like MP-BGP? The purpose is: Port forwarding from the FW to some far hosts on site in different subnets\VPNs and intra VPN filtering. Thanks in advance! I can draw a pic if required.

14 Replies 14

mikhailov.ivan
Level 1
Level 1

Thanks mate! Yes I know this CVD doc (they haven't updated it for several years). But it doesn't answer for my questions - how to integrate a Firewall. Yes it will be the DIA schema and I understand how to deliver the Internet from the FW to the C8k VPN0 like NAT 1:1. But how should I configure port forwarding deep to the network like to VPN10,20,20 etc ? Should it be like a "Dual Nat" where for instance we do DstNAT from the public TCP-443 to the Public C8k interface (if we have /30 link between the C8k VPN0 and the FW) TCP-443 and then to a VPN20 private TCP 8443? But should I deliver the VPN20 to the FW in this case ? Via VRF -lite or somehow ? Or can I configure dstNat on the FW  Public TCP443 directly to Private IP 192.168.10.13:8443 in the VPN20 ?  This is unclear moment. It looks like the integration between the SD-wan and SDA , they supported 2 options in the beggining (integrated and independent domains), but after some time they depricated integrated ver. and said like "please use manual config for vrf lite" that I can't understand why.

You can use MP-BGP with Option B if firewall will understand the protocol (LDP,BGP etc.)

MPLS-BGP Support on the Service Side

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/routing/ios-xe-17/routing-book-xe/m-unicast-routing.html

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

mikhailov.ivan
Level 1
Level 1

Thanks mate, appreciate it! But could you break it down and give more specific ? If you have a link to a CVD guide it wuld be great.  So with the MPLS-bgp option how exactly the dstNat will work ? the packet will be delivered from the FW toward the C8k VPN0 interface and then to a VPNx transparently ? I can't get this moment. Our goal is  simple dstNat  INET---FW---C8k---some host in VPNx.  MPLS BGP looks a bit extra in my oppinion.

Cristian Matei
VIP Alumni
VIP Alumni

Hi, 

    Would be great if you could post a simple drawing. For example, what's unclear to me is: will you have a FW on each spoke or FW is only at the hub location?; you'll want FW to inspect DIA/internet traffic, right?; what do you mean by filtering traffic between VRF's/VPN's, you want FW to filter/control traffic between LAN's of same site or between sites?

Thanks,

Cristian.

Sure mate. Here you go.  I drew on the left side the part as it will be in real and if we skip all redundancy things, I simplified it on the right side. Answering to your questions - each site will have the same schema and yes the FWs will be used only for doing some inspections like AV\IPS etc with the internet traffic and when I say "filtering between VRFs" I mean some really rare case, I would say it's just theory when we need to provide connectivity from one VRF(like interface) to another except the shared services VRF, and in this case we will have route leaking point on the FW. As far as you can see on the pic I am confused between 2 options if we talk about the port forwarding

And in this case let's consider the situation where we have all interconnect links as a L3, ok? I pointed out the link between the FW and cEdge as some /30 subnet 10.254.1.0/30 and there is some routing protocol betwee the switch and the cEdge in each VRF\vpn. (we could terminate all traffic on the cEdge and have a L2 link , but it will be a plan B).

1)(red line) We do dstNAT on the FW like x.x.x.2:443 to the web server 192.168.10.3:8443 and according to the simple routing the packet after the dNAT procedure will be forwarded directly to the host , but we will have to have tons of VRF-lite conections

2)(Blue line) We do dNat first from the FW x.x.x.2:443 to cEdge 10.254.1.2:443 and then create a NAT policy for dNAT it to 192.168.10.3:8443

Don't focus on sec.things like the host should be in DMZ etc, please let's sort it in theory, ok ?

Thanks for help in advance!

 
 

 

 

mikhailov.ivan
Level 1
Level 1

sorry, forgot to mention that there is the TLOC-extention as well, but it shouldn't impact.

mikhailov.ivan
Level 1
Level 1

According to searching results the only one way that people usually use is VRF-lite (sub.ints per VRF\VPN) and service chains. But for me it doesn't look "elegant" in 2024 and doesn't answr tothe dNAT questions. Does anyone have any experience in this ?

mikhailov.ivan
Level 1
Level 1

oh and one more detail, there is a virtualized infra, so the FW vm and the c8Kv vm can be connected only by a L3 link between them. That makes the situation more confused. Of course I can add like a vLink per each VPN, but it's ugly sollution. .1q L2 isn't supported, so the next question is how to deliver each VRP into the FW using the single like \30 link

mikhailov.ivan
Level 1
Level 1

Guys, any suggestions ?  I've never had this design before. It will be deployed in a local cloud provider infrastructure based on open stack environment. The vendor told me that the L2 traffic can't be delivered between VMs. So I can't use a single interface pair for multi .1q tags per each VPN (that can be used in a phy.environment). As an option I can add as many as needed interfaces - each VPN\VRF vill have a dedicated interface on the FW and C8Kv. Will work, but looks ugly. Alternative option, and I am not sure that it's supported and recomended : I could allocate a sigle interface , configure L3 \30 addressing and somehow put all traffic inside labeled somehow again. But the inteface should be terminated on particular VPN. If it's unclear I can rephrase it.

the SDWAN is use tunnel so what you need is only config VPN0 behind FW, and NATing it private IP to public IP 

there service VPN not need to config between cEdge and FW

MHM

yep, I understand it. The question was:

1) about DstNat or simple port forwarding in this case.

2)Periodically forwarding traffic between VPNs by leveraging NGFW and service chains.

Thanks!

so sorry for lat reply, I was busy 
I will send you some point check your PM 

thanks a lot 

MHM

thanks mate! haven't recived yet