Techrunner
asked on
Meraki SD-WAN
Greetings everyone,
I am deploying Meraki SD-WAN between 6 sites for a customer. At the moment, the customer has Sophos UTM firewall at each site terminating two DIA circuits and they want to use the internet links for SD-WAN. Sophos must inspect the traffic.
Any suggestions on the best possible way to achieve these requirements.
I am deploying Meraki SD-WAN between 6 sites for a customer. At the moment, the customer has Sophos UTM firewall at each site terminating two DIA circuits and they want to use the internet links for SD-WAN. Sophos must inspect the traffic.
Any suggestions on the best possible way to achieve these requirements.
ASKER
We want internet traffic inbound and outbound to go via direct Sophos only without passing traffic through Meraki.
Meraki will be just for SD-WAN VPN between sites.
Meraki will be just for SD-WAN VPN between sites.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
I want the SD-WAN traffic also to be inspected on Sopho. Meraki is not as good as NGFW.
I want the SD-WAN traffic also to be inspected on Sopho. Meraki is not as good as NGFW.
Your routing on the sophos will route all Internet traffic via internet1/2 the interface getting feed from sd-wan has to be configured as destination for your site to site VPN for LANs and you can setup dynamic routing protocol advertisement over the VPN.We will be making Full Mesh VPN between sites and its easy to manage using Meraki SD-WAN.
Are you using sd-wan because you have remote VPN?
In every configuration discussed, sophos will be inspecting traffic passing through it.
Sophos is always the one feeding the local LAN
One post inspection it feeds through sd-wan
Or
It determines whether to feed out over interfaces connected to Internet 1 or 2 or the connection to sd-wan if it is destined to one of the other sites.
The point of sd-wan is to provide high availability access that in your case is distributed using DNS and possibly includes a lag if your internet 1 connection goes down.
Sd-wan's ip will route per internet1 or internet2 with the user not impacted.
Guess the issue with sd-wan not passing Internet traffic deals with cost based on the throughput demand of existing traffic that it needs to handle so you are considering to limit sd-wan to VPN connection only?
Sophos is always the one feeding the local LAN
One post inspection it feeds through sd-wan
Or
It determines whether to feed out over interfaces connected to Internet 1 or 2 or the connection to sd-wan if it is destined to one of the other sites.
The point of sd-wan is to provide high availability access that in your case is distributed using DNS and possibly includes a lag if your internet 1 connection goes down.
Sd-wan's ip will route per internet1 or internet2 with the user not impacted.
Guess the issue with sd-wan not passing Internet traffic deals with cost based on the throughput demand of existing traffic that it needs to handle so you are considering to limit sd-wan to VPN connection only?
ASKER
You so basically you are recommending the attached design. MERAKI.jpg
However, I got an issue here that Sophos have a preference for IPSEC VPN Routes over any other routes from the routing table. In my case, Sophos will learn two routes for remote subnets i.e. static route to SD-WAN and automatic IPSEC VPN Routes.
How to manage this routing ?
However, I got an issue here that Sophos have a preference for IPSEC VPN Routes over any other routes from the routing table. In my case, Sophos will learn two routes for remote subnets i.e. static route to SD-WAN and automatic IPSEC VPN Routes.
How to manage this routing ?
Not sure I understand the depiction in the image.
Are you trying to amplify your setup such that beyond the sd-wan vpns, the sophos will establish separate IPSec vpns?
The sd-wan VPN will merely facilitate the ability of a sophos at each end to target an IP provided by the sd-wan service while landin, terminating on the sophos itself.
I do not believe the VPN terminates on the meraki sd-wan itself.
Are you trying to amplify your setup such that beyond the sd-wan vpns, the sophos will establish separate IPSec vpns?
The sd-wan VPN will merely facilitate the ability of a sophos at each end to target an IP provided by the sd-wan service while landin, terminating on the sophos itself.
I do not believe the VPN terminates on the meraki sd-wan itself.
ASKER
IPSEC VPN Tunnel on Sophos be will last backup if SD-WAN completely fails.
Why do you insist on not chasing..
The sd-wan is the end point of the feed as well as where all vpns terminate that gets passed to your sophos.
https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/Best_Practice_Design_-_MX_Security_and_SD-WAN/Meraki_SD-WAN
The sd-wan is the end point of the feed as well as where all vpns terminate that gets passed to your sophos.
https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/Best_Practice_Design_-_MX_Security_and_SD-WAN/Meraki_SD-WAN
You could have an HA pair OF MERAKI
or you are talking about the failure of the sd-wan ip provider?
Usually, the IPSec VPN will be triggered when another path
I.e. Meraki VPN include ospf over the VPN.
If the sd-wan VPN is not there sophos will trigger the IPSec VPN, will you have four between each site?
or you are talking about the failure of the sd-wan ip provider?
Usually, the IPSec VPN will be triggered when another path
I.e. Meraki VPN include ospf over the VPN.
If the sd-wan VPN is not there sophos will trigger the IPSec VPN, will you have four between each site?
ASKER
I would go with this option:
You could have an HA pair OF MERAKILast query for this thread, Meraki SD-WAN provides the best performance and less latency for cloud apps like O365. If I need my LAN users to access O365 through Meraki but also traffic should be inspected on Sophos, what would be the best traffic routing path?
Are you sure your latency is not caused by the DPI Process?
How did you come to the conclusion that meraki versus sophos has less latency?
Your latency will be a function of the processing capacity if the DPI on sophos.
Internet feeds <=> meraki sd-wan <=> sophos <=> lan
This assures all traffic enters and leaves the LAN is enforced by your dpi
In this setup if the meraki sd-wan device fails and you only have one, the location will lose Internet access.
Are you engaging the engineers from a vendor from whom you are purchasing the meraki devices, and the provider of the sd wan?
How did you come to the conclusion that meraki versus sophos has less latency?
Your latency will be a function of the processing capacity if the DPI on sophos.
Internet feeds <=> meraki sd-wan <=> sophos <=> lan
This assures all traffic enters and leaves the LAN is enforced by your dpi
In this setup if the meraki sd-wan device fails and you only have one, the location will lose Internet access.
Are you engaging the engineers from a vendor from whom you are purchasing the meraki devices, and the provider of the sd wan?
ASKER
Yes, we have engaged the SD-WAN engineer and will discuss the design further.
The point if I need 0365 traffic to go through SD-WAN device which is sitting behind Sophos, how would that be possible ?
The point if I need 0365 traffic to go through SD-WAN device which is sitting behind Sophos, how would that be possible ?
behind sophos?
Internet feed/s -> sophos -> sd-wan device => LAN?
versus the standard
internet feed/s => sd-wan device => sophos => LAN
I do not think it s likely or counter the design to have sd-wan device after the firewall.
sd-wan on which feeds it uses tunnels back to the provider over which user traffic is sent through
sdwan-porvider
||
Internet feed/s <=> SD-wan <=> Firewall <=> LAN
in your scenario, the sd-wan tunnel back to the sdwan-provider will be allowed by the sophos FW to establish a tunnel, through which external traffic will be sent through and the sd-wan device on premises would be doing NAT and servicing ?
Behind is what throws me.
Internet is the front, the individual computers are alll the way back, furthest from the internet.
Internet feed/s -> sophos -> sd-wan device => LAN?
versus the standard
internet feed/s => sd-wan device => sophos => LAN
I do not think it s likely or counter the design to have sd-wan device after the firewall.
sd-wan on which feeds it uses tunnels back to the provider over which user traffic is sent through
sdwan-porvider
||
Internet feed/s <=> SD-wan <=> Firewall <=> LAN
in your scenario, the sd-wan tunnel back to the sdwan-provider will be allowed by the sophos FW to establish a tunnel, through which external traffic will be sent through and the sd-wan device on premises would be doing NAT and servicing ?
Behind is what throws me.
Internet is the front, the individual computers are alll the way back, furthest from the internet.
ASKER
hi,
I have revised the design based on your inputs. Please check the attached.SD-WAN.jpg
I have revised the design based on your inputs. Please check the attached.SD-WAN.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Internet1 -\
Meraki SD-WAN <=> sophos ut. <=> LAN
Internet 2 -/
The functionality you are after is independent of how your devices access the Internet.