• Status: Solved
  • Priority: Medium
  • Security: Private
  • Views: 66
  • Last Modified:

Network Desigh Help

Hello Experts,

Our Main and Branch Office is connected via 30 Mbps MPLS IP VPN . The internet services are centralized at HQ. We have got two separate internet circuits at HQ dedicated for Business and HQ.
My requirements will be as follows as per the attached diagram
- Guest Internet traffic should go through via FW1
- Corporate traffic should follow default route  currently configured on L3 switch at HQ
- To configure Policing on Branch Office L3 switch. Corporate Traffic 20 Mbps and Guest Traffic 10 Mbps

I would appreciate any help and suggestions.
NetworkDesign.png
0
cciedreamer
Asked:
cciedreamer
  • 9
  • 5
  • 4
  • +1
2 Solutions
 
kevinhsiehCommented:
Your diagram doesn't show which is HQ and which is branch. I am assuming that the left side of the MPLS is HQ, and the right side is the branch.

To get the guest traffic going out the correct firewall, use policy based routing. Match against the source IP addresses used by the guests. This is done on the corporate switch's MPLS interface. https://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpbr.html

Corporate traffic will use normal routing to go out the default route.

On the branch switch, I would no police corporate and guest traffic, as that would hard limit how much traffic corporate can generate, even if the guest network isn't being used. You can put a 10mbps policing policy in both directions of the branch guest SVI. That will keep that traffic in line with what you want. Don't forget to put an ACL on the guest SVI so that the devices can't access any other internal parts of the network.
0
 
cciedreamerAuthor Commented:
Thanks a lot, kevinsheih, Sorry about that for not mentioning HQ and Branch

I will give a try with policy routing.

But regarding policing on branch office I have Cisco 3850 but I could not make it work earlier since there is change in commands. I will need your help.
1
 
JustInCaseCommented:
If there is a L3 MPLS - if supported - create separate vrf for guest VLAN and isolate its traffic and routing in separate routing instance (requires IP services license at least on some L3 devices).
PBR should be avoided if possible.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
cciedreamerAuthor Commented:
Hi Predrag

Thanks
But service provider is not supporting VRF they just provided single L3 link
1
 
cciedreamerAuthor Commented:
I did a new design, please have look and advise your valuable suggestion whether this design is efficient
NetworkDesign.png
0
 
Craig BeckCommented:
Can you not ask your ISP to provide a second VPN over the MPLS for your Guest traffic?
0
 
cciedreamerAuthor Commented:
The selected ISP has limited option for us that is why I don't any other kind of VPN will work
0
 
kevinhsiehCommented:
@Predrag Jovic, why should policy based routing be avoided?
0
 
kevinhsiehCommented:
I don't see how the addition of the firewall at the branch changes anything at all. Unless you have another firewall not pictured at main office, you will still have the same routing problem at the main office that you have before. If there were 2 firewalls, maybe you can do an IPSec tunnel between them, but I don't really see the point. Just put an ACL on the branch L3 switch to prevent the guest network from accessing any of the internal IP address space. Simple and effective.
0
 
cciedreamerAuthor Commented:
Hi Kevin
Firewall will at least help in detecting inspecting traffic, scanning malicious internet traffic
0
 
Craig BeckCommented:
What I mean is can the ISP add another VRF across the WAN for you?
1
 
cciedreamerAuthor Commented:
They wont add Sir I know
Even if they want then that will be long process which might take a month.
0
 
kevinhsiehCommented:
Firewall would be better placed at the main office where it can inspect more traffic.
0
 
Craig BeckCommented:
Firewall would be better at both sides of the MPLS :-)

What kit do you have at each site?  A GRE tunnel may work, depending on hardware.
0
 
cciedreamerAuthor Commented:
I have Cisco 3850 L3 Switch (  MPLS CE and Cisco ASA Firewall at Branch Side
Cisco 6500 L3, Cisco ISR 4331/K9 ( MPLS CE) and Cisco ASA Firepower ( Internet Edge)
0
 
kevinhsiehCommented:
I personally don't see any reason for ASA at the branch for GUEST traffic. If you want to use it to secure corporate traffic from other parts of the corporate network, that is fine. Here is the ACL I put on my guest VLANs. It blocks all traffic to internal destinations, and allows out to the Internet. If you want to have other traffic restrictions, it can be done at the perimeter firewall.

ip access-list extended GUESTS-VLAN-IN-ACL
 permit udp any any eq bootps
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip any any

Open in new window

0
 
Craig BeckCommented:
I agree, ACL is a simple solution, but it's not great.

GRE tunnel is do-able and would sort the routing headache.1

Saying that, you have a firewall at each side, so why not just stick an IPSec VPN between the two and only allow guest traffic through it.
0
 
cciedreamerAuthor Commented:
Hi,
That is do-able too. I'll go with DMVPN with IPSec. Router to Router, no routing headache.
0
 
cciedreamerAuthor Commented:
This might be off topic discussion
I will love to know the difference between ACL in layer 3 switch comparing to ASA firewall from our experts.
1
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 9
  • 5
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now