BGP routing throught different firewalls

lotfi.bouhaddad · ‎02-18-2013

Hi,

I need to make a design that involves PE,CE and different firewalls, my problem is the choice of the next hop as the firewalls manage diffrents security policies. Bellow is the design I need to acheive:

Networks-A --------> CE-A ----> PE-A ---InterconectVPN ----> PE-Z --->SW ---> FWA ===>CE-Z ||

Networks-B --------> CE-B ----> PE-B ---InterconectVPN ---> PE-Z --->SW ----> FWB ===>CE-Z || NETWORK Z

Networks-C --------> CE-C ----> PE-C ---InterconectVPN ---> PE-Z ---> SW ----> FWC ===>CE-Z ||

Traffic between network A and network Z needs to pass through FWA

Traffic between network B and network Z needs to pass through FWB

Traffic between network c and network Z needs to pass through FWC

I solved the communication from Z to network A,B and C by setting the next hop to the right FW based on thr community received from CE-A, CE-B and CE-C

My problem is how to route traffic from PE-Z to network Z so that is goes through the right firewall without using source routing .

Thanks for your help

Regards

Lotfi

rais · ‎02-18-2013

Is it possible to create three different VRFs at Z end?

Thanks.

lotfi.bouhaddad · ‎02-18-2013

Hi,

Thanks for your answer, but creating diffrents VRF on PE-Z will make the design more complexe as number of Networks in each VPn is something like 5000 routes and we have 20 VPN to interconnect, The routing table will be 20 x 5000 routes

Thanks

Lotfi

CCIE #22319

rais · ‎02-19-2013

You can NAT the destination on any of the two firewalls.

Thanks.