We have a huge network connecting remote hospitals through microwave links which are terminated in 3560 L3 Switch. The network is using RIP V2 for routing data. Attached is the network diagram.
1. Site-1 is the administration office which receives the DHCP pool and internet from the HO.
2. The hospitals use these microwave links to share data like CT scans etc with each other.
Issue: We want only Site-1 should be able to access the HO. The other sites should not access HO since there can be a security issue but they should be able to share data with other sites.
Someone proposed installing a firewall at the HO, Will that help? What configuration can be done on the existing switches to eliminate this?
I think the easiest thing for you would be using a firewall at your HO site. An other option would be to virtualise your network and to do selelctiv route target import/export on the necessary sites. I think that should be possible with the 3560 with VRF's. Instead of import/export you can also use a firewall for that job.
If your adressing scheme is clear, then a firewall at the HO site is certanly the easiest thing to do.
Since there is somewhat limited information based on what I know just now I would do as follows.
Since I do not trust the Microwave link to be secure from ppl listening and/or changing information I would install firewalls at all sites.
Each of the sites would then have an "exterior" feeding network to which the firewalls would have their external interface connected. The Microwavelink net.
Then I would use the firewalls VPN capability to create a vpn tunnel between the sites that I want to be able to communicate with eachother.
No other communication allowed.
I would use the firewalls to give out Dhcp addresses and such.
I do not know where in the world you are but I think that if you would do less than this you would be at risk of some kind of legal action regarding patient security and confidentiality.
Three thoughts here:
1) I believe you should do some static routing between the sites using the microwave links. This will save you the BW utilized by the full routing updates created by RIP. You can do some route redistribution as needed.
2) I would suggest a GRE Tunnel with IPsec. I agree with the post above, you should secure the data crossing the airwaves. Use an access list at HQ to filter traffic from other sites other than site 1.
3) Use a DHCP locally for site one. Again, maximize your BW, by not having DHCP requests and replies having to cross the slowest links. NAT should be done at the EDGE where your network meets to the Internet.
Just my 2 cents.
Thank you for all the valuable inputs. However can you please elaborate on the below
1. Can I configure a GRE Tunnel on Cisco 3560?
2. What kind of ACL would I use to filter traffic at HO?
3. This is something new, the customer wants to do load sharing with his DSL link 512 Kbps at the HO with SITE-1 with the 100 Mbps Microwave link. How do I achieve this?