I inherited a large, ancient infrastructure that was half-migrated from L2->OSPF (from the core routers to the TOR switches). The remaining half is critical infrastructure and is all routed through an FWSM(...) that sits a hop behind the WAN, homes all the VLANs to the TORs, and provides very basic firewall services between LAN/WAN--as well as between the LAN subnets it hosts.
I came into a hand-me-down pair of Palo Altos and realize I need to finish that L3 migration in order to reasonably set them up in an active-active config.
There are no stupid questions, but this is probably a stupid question:
I'm used to all the "critical infrastructure" traffic routing through the FWSM. I get that the L7 inspection is more than capable of handling traffic if it passes through the Palo Alto, but I'm not so sure the traffic will route through them without doing OSPF metric fuckery? That seems like a bad idea if the routes wind up "misconfigured" down the line.
The racks themselves are all heterogenous in terms of subnet/function. Could reorganize. Either way, am I looking at adding a firewall on top of each TOR just to control the inter-VLAN traffic currently handled by the FWSM?
No comments:
Post a Comment