02-24-2021 05:22 PM
Just looking for advise , pros vs cons about connecting an ISP internet feed directly to our core mpls/vpls switch.
ISP Internet Router—>adva—>Core Switch(siteA)—>mpls/vpls—>Core Switch(siteB)—> Palo Alto
The PA firewall will have a separate VR and will nat traffic from 10.x LAN to Public before routing out to Internet via core.
There is ospf routing on all cores and distribution switches connecting to cores as well as L2/L3 traffic from other sites.
Is this acceptable and what are the security concerns?
02-24-2021 08:08 PM
I am not sure about the other networks connected to your core, but the basic priniciple is to have your firewall as close to the perimeter as possible. Firewall is your first line of defence and not last.
It is a better design to filter all the traffic through firewall on site A, before being sent out to site B.
So what you have is feasible, but your call where you would like to have it. For me site A makes more sense.
02-24-2021 09:54 PM
Even if the static routing ensures that traffic gets routed directly to the firewall ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!