WAN to SD-WAN migration : Branch (vEDGE) Routing

hemant_nalwa · ‎06-18-2019

Good day,

I am new to SD-WAN technology but really amazed by it's capability, and currently working for a SD-WAN solution for one of our client.

The overall setup includes private cloud, public cloud and approx. 300 remote sites with a user count ranging from 5 to 1500.

Currently most of the sites have both MPLS and Internet links. These links are logically terminated on perimeter Firewall where Zones are configured. Internet is a "Untrusted Zone" and MPLS is a "Semi-Trusted Zone".

The question is, if I want to retain these site local perimeter firewalls, can I still keep 2 zones, one for Internet and another for MPLS? or in other words, can I extend the VPNs(VRFs) from vEdge devices up to the firewall?

The benefit I see here is, I can have strict policies enabled on firewalls for stateful inspection between these 2 Zones.

If anyone has any advice for me, please do share.

Thanks

Hemant

ekhabaro · ‎06-18-2019

It's really bad idea to have firewall in front of SDWAN edge router as for my opinion, you will mess routing since your edge device interfaces will actually have connectivity with both uplinks unless you have dedicated contexts for each interfaces. Moreover, most likely you will use ipsec encapsulation and hence there is little to no value for having firewall in front of edge SD-WAN router.

david.bolter · ‎06-24-2019

Hi,

So if you are building SD WAN, what is the underlay NEW network going to be? MPLS still?

Typical deployments in the UK I have seen have been SD WAN over MPLS, in which case you would typically terminate at the egde of the MPLS underlay. Basically routing would be consistent with traditional MPLS, and so you would transit route traffic from VEdge to Firewall.

Hope that helps.