Need your opinion here regarding SD-WAN topology or edge placement. To narrow the discussion, let’s only consider using VeloCloud or viptela SD-WAN solution.
Customer has branch offices and a central CO-LO dc. Both branch and DC are deployed with NGFW/UTM at network edge. Small branch has Dual internet links and big branch has the metro Ethernet besides the single Internet.
During design for SD-WAN for this customer, I am little bit struggling with the placement of the SD-WAN edge in relation to the existing NGFW...Customer is in financial industry and their security team is fairly picky on traffic flow and inspection...
My current design for the small office is to put the SD-WAN device in front of the NGFW facing Internet. This way, the dual internet load balancing and failover are covered. Then traffic going to and from branch LAN could also be inspected by the NGFW.
For both the big Branch and DC, I am thinking to put the SD-WAN device behind the NGFW facing internet. The metro Ethernet will connect directly to the SD-WAN devices which route traffic to NGFW for further inspection before reaching LAN. NAT exemption will be configured on NGFW for these related traffic. The traffic to and from internet will naturally be inspected by NGFW as well.
Will these make sense? Any suggestions?
Wish there is a SD-WAN device comes with NGFW/UTM features...
No comments:
Post a Comment