I'm curious to what people are doing in the real-world when it comes to SD-WAN designs. I currently still utilize a next-gen firewall and a SD-WAN box for site-to-site VPN's (meraki. I know, not the greatest).
DESIGN 1:
Both the next-gen firewall and SD-WAN box is connected to the internet. All user traffic goes through the next-gen firewall first, and either egresses straight to the internet, or routes to the SD-WAN for site-to-site VPN traffic.
The problem with this design, is that we are not utilizing SD-WAN tech for internet egress traffic. Internet egress goes out ISP1, and if ISP1 fails (according to a SLA), it goes out ISP2.
DESIGN 2:
The other design only has the SD-WAN box connected to the internet. The next-gen firewall does not connect to the internet. The default route of the next-gen firewall goes out the SD-WAN box. So the SD-WAN box controls internet egress and site-to-site VPN.
How are other people designing their network? Are they skipping the next-gen firewall completely? Are the designs I'm using seem dumb?
No comments:
Post a Comment