I support a network that is composed of multiple MPLS links all over the country.
Some of these links are radio since the locations are remote.
Most of the MPLS uses OSPF, the CPE's are Huawei.
The network has 2 internet links, a main one on the headquarters with a Checkpoint firewall, and a backup with a shitty router.
Default route is advertised only on the main circuit, backup is manual. On the headquarters, the L3 of the internal lans is on the switch.
Each of the remote sites have equipments used by different vendors that i would like to isolate from the internal network. These days this is achieved by ACLs on each CPE which honestly is hard to manage.
The firewall solution is to be replaced soon.
Now this is how i would change the network.
Buy Palo Alto for the main link.
Take the Checkpoint firewall and place it on the backup.
Maybe replace OSPF with BGP. I'd like some thoughts on this.
Create VRF's for the third party vendors, maybe one for each or one for all vendors, manage their access on the firewall only.
Extend dynamic routing to the firewalls instead of having static default routes. If not, at least use NQA.
No comments:
Post a Comment