Today all boxes has some kind of firewall deamon running, providing certain set of security future. What if SD-WAN service provider has built up solution based on Versa box and such feature can t be switched off?
Well, statefull firewall engine on Versa box expect that traffic sent on one interface out to receive reply on the same interface, as any other firewall device would expect, and as any other firewall would drop traffic for which does not have correct state for connection.
So what is a problem?
If service provider built SD-WAN service, I would expect to have transparent, scalable and reliable solution without need to change routing design in my network. Do you agree with me?
If yes, we are on the same page. Following dual-homed design with more devices and interfaces on them to be used for dispersing workload during normal operation time, and to be able to take over workload if some of interfaces are out of order or whole chassis, you are still wit me, right?
Well, since Versa box has switched on firewall features, and if you want to achieve goal describe above, you would need to keep IP traffic in your network very symmetrical from and to Versa boxes if you want keep your network properly running with traffic beefing dropped on Versa boxes.
What was the workaround? A lot of BGP manipulation with Local preferences, keeping order of matched traffic with hierarchy of preferences o for incoming/outgoing interface. Keep in mind that BGP LocalPreference is forwarded only inside BGP Autonomus (AS1), and it is not forwarded towards eBGP neighbors, and I had exactly such scenario with additional BGP Autnomous system, let call it AS2, where I needed again to develop hierarchy with LocalPreferences and AS Path prepend.
Now, add some internal firewall in AS2 used to filter traffic before it can reach resources in data center based in AS1. Yes, it is night mare, but possible to design it.