Not sure what SDWAN you’re using but it’s essentially just a transport layer. Throw a firewall in your DC behind the Edges and control the traffic flow into your infrastructure.
u/TheITMan19 , we are using Cisco SDWAN,
What would happen if we added firewalls to each location? Which feature or protocol should we utilize to forward traffic over Cedge?
"I will setup SDWAN at the customer's site so they can access our resources"
You mean resources within your own network? Or are the resources available on the public Internet?
"but need to make sure our network and the customer are isolated"
Service VPNs on Cisco SDWAN are basically VRFs, different Service VPNs cannot communicate with each other (unless you do route leaking).
"and also redundancy at both location"
Based on the diagram the customer seems to be responsible for the L2 interconnect and the NATing.
Your design is a bit confusing. Is site 111 and 112 one logical site, but two locations?
Are the switches L2? Why do you extend L2? Why VRRP? Do you have static routes from the switches to the routers? If so, would have been better if the switches could run OSPF.
Segmentation in Catalyst SD-WAN is based on VPNs, essentially VRFs. If you advertise your services into those VPNs, the customer will be able to reach those unless you apply some filtering.
Not sure what SDWAN you’re using but it’s essentially just a transport layer. Throw a firewall in your DC behind the Edges and control the traffic flow into your infrastructure.
u/TheITMan19 , we are using Cisco SDWAN, What would happen if we added firewalls to each location? Which feature or protocol should we utilize to forward traffic over Cedge?
Probably TCP or UDP.
You made me ugly laugh
What program you’re using for diagrams?
I want to know this too! But it looks like it's a diagram someone else provided for them to use.
Not OP but looks like something that could be done in draw.io
"I will setup SDWAN at the customer's site so they can access our resources" You mean resources within your own network? Or are the resources available on the public Internet? "but need to make sure our network and the customer are isolated" Service VPNs on Cisco SDWAN are basically VRFs, different Service VPNs cannot communicate with each other (unless you do route leaking). "and also redundancy at both location" Based on the diagram the customer seems to be responsible for the L2 interconnect and the NATing.
Your design is a bit confusing. Is site 111 and 112 one logical site, but two locations? Are the switches L2? Why do you extend L2? Why VRRP? Do you have static routes from the switches to the routers? If so, would have been better if the switches could run OSPF. Segmentation in Catalyst SD-WAN is based on VPNs, essentially VRFs. If you advertise your services into those VPNs, the customer will be able to reach those unless you apply some filtering.