I've come across this requirement a few times and feel I might be missing another way to do it.
If we have a Layer3 MPLS network with multiple sites all using a centralised breakout for internet. All sites are part of the same VRF which includes the firewall itself.
Is there a way to restrict two subnets from talking to each other via the centralised firewall other than creating another separate VRF?
For example in the attached diagram we can see two subnets on the same site. I can put an ACL on the router itself on site stopping them from talking to each other but what if the customer wants the traffic to be controlled from the firewall. So any traffic from 192.168.1.0/24 to 10.0.0.0/24 has to go to the firewall and the decision to allow that traffic is done there?
My only idea on doing this is by setting up VRF-Lite on the router itself with the second subnet as part of this and then creating a seperate VRF on the core which this is placed in. Then the firewall will have two interfaces to the MPLS. One for each VRF. This doesn't seem very elegent but I'm not sure if there would be an alternative?
Thanks
No comments:
Post a Comment