02-18-2013 05:38 AM - edited 03-07-2019 11:46 AM
Hi,
I need to make a design that involves PE,CE and different firewalls, my problem is the choice of the next hop as the firewalls manage diffrents security policies. Bellow is the design I need to acheive:
Networks-A --------> CE-A ----> PE-A ---InterconectVPN ----> PE-Z --->SW ---> FWA ===>CE-Z ||
Networks-B --------> CE-B ----> PE-B ---InterconectVPN ---> PE-Z --->SW ----> FWB ===>CE-Z || NETWORK Z
Networks-C --------> CE-C ----> PE-C ---InterconectVPN ---> PE-Z ---> SW ----> FWC ===>CE-Z ||
Traffic between network A and network Z needs to pass through FWA
Traffic between network B and network Z needs to pass through FWB
Traffic between network c and network Z needs to pass through FWC
I solved the communication from Z to network A,B and C by setting the next hop to the right FW based on thr community received from CE-A, CE-B and CE-C
My problem is how to route traffic from PE-Z to network Z so that is goes through the right firewall without using source routing .
Thanks for your help
Regards
Lotfi
02-18-2013 09:41 AM
Is it possible to create three different VRFs at Z end?
Thanks.
02-18-2013 12:48 PM
Hi,
Thanks for your answer, but creating diffrents VRF on PE-Z will make the design more complexe as number of Networks in each VPn is something like 5000 routes and we have 20 VPN to interconnect, The routing table will be 20 x 5000 routes
Thanks
Lotfi
CCIE #22319
02-19-2013 07:26 AM
You can NAT the destination on any of the two firewalls.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide