10-21-2024 02:06 PM - edited 10-21-2024 02:06 PM
Hello colleagues! I would like to discuss or ask about SD-wan design and a Firewall (NGFW) integration. First of all - I didn't find anything particular. So, I have a simple design for a customer with SD-wan and c\v Edges Cat8K, we will have a couple of C8K routers per site , couple of C9300 switches behind and here is the problem. They would like to leverage some simple things like dst Nat (Port forwarding) or of course some security things like AV, IPS etc. and also for making filtering between VRFs or VPNs. Firewalls will be a 3rd party popular vendor , but none Cisco and I am warry about how to connect the C8k routers with the FW by more "elegant" way. I see the schema like let's simplify: The ISP is plugged directly to a FW's port when it's connected to the C8K and further we have C9k sw like behind. The question is:
How to configure the link between FW and cEdge? Do I have to use VRF-lite only ? Is there only one way ? I would like to avoid configuring 1000+ VRF lite links even via a .1q trunk. Can I use something like MP-BGP? The purpose is: Port forwarding from the FW to some far hosts on site in different subnets\VPNs and intra VPN filtering. Thanks in advance! I can draw a pic if required.
10-21-2024 03:50 PM
I believe your scenarion is something very similar do DIA (Direct internet access).
https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/sdwan-dia-deploy-2020aug.pdf
10-22-2024 01:42 AM - edited 10-22-2024 01:46 AM
Thanks mate! Yes I know this CVD doc (they haven't updated it for several years). But it doesn't answer for my questions - how to integrate a Firewall. Yes it will be the DIA schema and I understand how to deliver the Internet from the FW to the C8k VPN0 like NAT 1:1. But how should I configure port forwarding deep to the network like to VPN10,20,20 etc ? Should it be like a "Dual Nat" where for instance we do DstNAT from the public TCP-443 to the Public C8k interface (if we have /30 link between the C8k VPN0 and the FW) TCP-443 and then to a VPN20 private TCP 8443? But should I deliver the VPN20 to the FW in this case ? Via VRF -lite or somehow ? Or can I configure dstNat on the FW Public TCP443 directly to Private IP 192.168.10.13:8443 in the VPN20 ? This is unclear moment. It looks like the integration between the SD-wan and SDA , they supported 2 options in the beggining (integrated and independent domains), but after some time they depricated integrated ver. and said like "please use manual config for vrf lite" that I can't understand why.
10-26-2024 12:49 PM
You can use MP-BGP with Option B if firewall will understand the protocol (LDP,BGP etc.)
MPLS-BGP Support on the Service Side
10-27-2024 01:31 PM
Thanks mate, appreciate it! But could you break it down and give more specific ? If you have a link to a CVD guide it wuld be great. So with the MPLS-bgp option how exactly the dstNat will work ? the packet will be delivered from the FW toward the C8k VPN0 interface and then to a VPNx transparently ? I can't get this moment. Our goal is simple dstNat INET---FW---C8k---some host in VPNx. MPLS BGP looks a bit extra in my oppinion.
10-27-2024 02:30 PM
Hi,
Would be great if you could post a simple drawing. For example, what's unclear to me is: will you have a FW on each spoke or FW is only at the hub location?; you'll want FW to inspect DIA/internet traffic, right?; what do you mean by filtering traffic between VRF's/VPN's, you want FW to filter/control traffic between LAN's of same site or between sites?
Thanks,
Cristian.
10-27-2024 03:47 PM - edited 10-27-2024 03:48 PM
Sure mate. Here you go. I drew on the left side the part as it will be in real and if we skip all redundancy things, I simplified it on the right side. Answering to your questions - each site will have the same schema and yes the FWs will be used only for doing some inspections like AV\IPS etc with the internet traffic and when I say "filtering between VRFs" I mean some really rare case, I would say it's just theory when we need to provide connectivity from one VRF(like interface) to another except the shared services VRF, and in this case we will have route leaking point on the FW. As far as you can see on the pic I am confused between 2 options if we talk about the port forwarding
And in this case let's consider the situation where we have all interconnect links as a L3, ok? I pointed out the link between the FW and cEdge as some /30 subnet 10.254.1.0/30 and there is some routing protocol betwee the switch and the cEdge in each VRF\vpn. (we could terminate all traffic on the cEdge and have a L2 link , but it will be a plan B).
1)(red line) We do dstNAT on the FW like x.x.x.2:443 to the web server 192.168.10.3:8443 and according to the simple routing the packet after the dNAT procedure will be forwarded directly to the host , but we will have to have tons of VRF-lite conections
2)(Blue line) We do dNat first from the FW x.x.x.2:443 to cEdge 10.254.1.2:443 and then create a NAT policy for dNAT it to 192.168.10.3:8443
Don't focus on sec.things like the host should be in DMZ etc, please let's sort it in theory, ok ?
Thanks for help in advance!
10-28-2024 01:50 AM
11-03-2024 12:53 PM
According to searching results the only one way that people usually use is VRF-lite (sub.ints per VRF\VPN) and service chains. But for me it doesn't look "elegant" in 2024 and doesn't answr tothe dNAT questions. Does anyone have any experience in this ?
11-05-2024 04:38 AM
oh and one more detail, there is a virtualized infra, so the FW vm and the c8Kv vm can be connected only by a L3 link between them. That makes the situation more confused. Of course I can add like a vLink per each VPN, but it's ugly sollution. .1q L2 isn't supported, so the next question is how to deliver each VRP into the FW using the single like \30 link
11-11-2024 12:42 AM
Guys, any suggestions ? I've never had this design before. It will be deployed in a local cloud provider infrastructure based on open stack environment. The vendor told me that the L2 traffic can't be delivered between VMs. So I can't use a single interface pair for multi .1q tags per each VPN (that can be used in a phy.environment). As an option I can add as many as needed interfaces - each VPN\VRF vill have a dedicated interface on the FW and C8Kv. Will work, but looks ugly. Alternative option, and I am not sure that it's supported and recomended : I could allocate a sigle interface , configure L3 \30 addressing and somehow put all traffic inside labeled somehow again. But the inteface should be terminated on particular VPN. If it's unclear I can rephrase it.
11-11-2024 12:47 AM
the SDWAN is use tunnel so what you need is only config VPN0 behind FW, and NATing it private IP to public IP
there service VPN not need to config between cEdge and FW
MHM
11-11-2024 01:11 AM
yep, I understand it. The question was:
1) about DstNat or simple port forwarding in this case.
2)Periodically forwarding traffic between VPNs by leveraging NGFW and service chains.
Thanks!
11-26-2024 06:30 AM
so sorry for lat reply, I was busy
I will send you some point check your PM
thanks a lot
MHM
11-26-2024 11:51 AM
thanks mate! haven't recived yet
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide