Network Desigh Help

Hello Experts,

Our Main and Branch Office is connected via 30 Mbps MPLS IP VPN . The internet services are centralized at HQ. We have got two separate internet circuits at HQ dedicated for Business and HQ.
My requirements will be as follows as per the attached diagram
- Guest Internet traffic should go through via FW1
- Corporate traffic should follow default route  currently configured on L3 switch at HQ
- To configure Policing on Branch Office L3 switch. Corporate Traffic 20 Mbps and Guest Traffic 10 Mbps

I would appreciate any help and suggestions.
NetworkDesign.png
LVL 4
cciedreamerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kevinhsiehCommented:
Your diagram doesn't show which is HQ and which is branch. I am assuming that the left side of the MPLS is HQ, and the right side is the branch.

To get the guest traffic going out the correct firewall, use policy based routing. Match against the source IP addresses used by the guests. This is done on the corporate switch's MPLS interface. https://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpbr.html

Corporate traffic will use normal routing to go out the default route.

On the branch switch, I would no police corporate and guest traffic, as that would hard limit how much traffic corporate can generate, even if the guest network isn't being used. You can put a 10mbps policing policy in both directions of the branch guest SVI. That will keep that traffic in line with what you want. Don't forget to put an ACL on the guest SVI so that the devices can't access any other internal parts of the network.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cciedreamerAuthor Commented:
Thanks a lot, kevinsheih, Sorry about that for not mentioning HQ and Branch

I will give a try with policy routing.

But regarding policing on branch office I have Cisco 3850 but I could not make it work earlier since there is change in commands. I will need your help.
1
JustInCaseCommented:
If there is a L3 MPLS - if supported - create separate vrf for guest VLAN and isolate its traffic and routing in separate routing instance (requires IP services license at least on some L3 devices).
PBR should be avoided if possible.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

cciedreamerAuthor Commented:
Hi Predrag

Thanks
But service provider is not supporting VRF they just provided single L3 link
1
cciedreamerAuthor Commented:
I did a new design, please have look and advise your valuable suggestion whether this design is efficient
NetworkDesign.png
0
Craig BeckCommented:
Can you not ask your ISP to provide a second VPN over the MPLS for your Guest traffic?
0
cciedreamerAuthor Commented:
The selected ISP has limited option for us that is why I don't any other kind of VPN will work
0
kevinhsiehCommented:
@Predrag Jovic, why should policy based routing be avoided?
0
kevinhsiehCommented:
I don't see how the addition of the firewall at the branch changes anything at all. Unless you have another firewall not pictured at main office, you will still have the same routing problem at the main office that you have before. If there were 2 firewalls, maybe you can do an IPSec tunnel between them, but I don't really see the point. Just put an ACL on the branch L3 switch to prevent the guest network from accessing any of the internal IP address space. Simple and effective.
0
cciedreamerAuthor Commented:
Hi Kevin
Firewall will at least help in detecting inspecting traffic, scanning malicious internet traffic
0
Craig BeckCommented:
What I mean is can the ISP add another VRF across the WAN for you?
1
cciedreamerAuthor Commented:
They wont add Sir I know
Even if they want then that will be long process which might take a month.
0
kevinhsiehCommented:
Firewall would be better placed at the main office where it can inspect more traffic.
0
Craig BeckCommented:
Firewall would be better at both sides of the MPLS :-)

What kit do you have at each site?  A GRE tunnel may work, depending on hardware.
0
cciedreamerAuthor Commented:
I have Cisco 3850 L3 Switch (  MPLS CE and Cisco ASA Firewall at Branch Side
Cisco 6500 L3, Cisco ISR 4331/K9 ( MPLS CE) and Cisco ASA Firepower ( Internet Edge)
0
kevinhsiehCommented:
I personally don't see any reason for ASA at the branch for GUEST traffic. If you want to use it to secure corporate traffic from other parts of the corporate network, that is fine. Here is the ACL I put on my guest VLANs. It blocks all traffic to internal destinations, and allows out to the Internet. If you want to have other traffic restrictions, it can be done at the perimeter firewall.

ip access-list extended GUESTS-VLAN-IN-ACL
 permit udp any any eq bootps
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip any any

Open in new window

0
Craig BeckCommented:
I agree, ACL is a simple solution, but it's not great.

GRE tunnel is do-able and would sort the routing headache.1

Saying that, you have a firewall at each side, so why not just stick an IPSec VPN between the two and only allow guest traffic through it.
0
cciedreamerAuthor Commented:
Hi,
That is do-able too. I'll go with DMVPN with IPSec. Router to Router, no routing headache.
0
cciedreamerAuthor Commented:
This might be off topic discussion
I will love to know the difference between ACL in layer 3 switch comparing to ASA firewall from our experts.
1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.