I manage a network of 15 sites connected via dark fibre and point to point wireless. All routers and switches are Cisco. Remote sites are running router on a stick and two geographically diverse sites are collapsed core and connected to the internet via Palo Alto firewalls.
I’m using OSPF as our IGP and static routes to the ISP (no BGP, only a /28 incoming which the provider statics to us). Each site gets a number of subnets for various things such as data, voice, staff wifi, public WiFi etc. I’m currently managing security for all of these with a very long list of ACLs which are beginning to be unmanageable.
I’d really like to move to VRFs as I think it would be much simpler to just spin up a new VRF when something needs to be segregated. I’m just struggling with figuring out how to migrate from what I’ve got. Ideally I’d like every VRF to maintain the backhaul routing that is currently handled by OSPF and all other traffic be separated except for what is leaked.
A lot of the examples I’ve seen of VRF-lite involve either a bunch of static routes or making a heap of parallel backhaul connections for each VRF which seems just as difficult to manage as the existing ACLs.
I’ve since discovered the “route-replicate” command which seems like it might do what I want. Would it be recommended to move all of backhaul connections to their own VRF and then use route-replicate for that into any other VRFs including the global? Should I just go whole hog BGP/MPLS everywhere? Is there some sort of staged migration I could do? Is there some way I could use the VRFs to bring back some of the remote site subnets to terminate on the firewall instead and do rules there?
No comments:
Post a Comment