Hello Laz,
Reference my previous question (Cisco ASA Site-to-Site IKEV1 IPsec VPN). I have managed to get site-to-site vpn working over a public IP between site A and site B.
Now, i am working on laying a fiber cable connecting both Site A and Site B and my question is,
I do have an ASA firewall at both sites and also L2 switches. I want to know the best option/equipment to terminate the fiber. And how to go about the configuration.
What are the configuration steps in case i want to terminate on ASA?
Also if i want to terminate on the L2 Switch, how do i go about the configuration.
If you are going to replace the VPN with a fiber link, then the use of a firewall to terminate the fiber is not recommended. Firewalls should be placed at the edge of the network, connecting to the ISP and the Internet. Technically you can use the firewalls to terminate the fiber, but their functionality would be lost on such a private WAN link.
If you are going to have a private fiber connection between your sites, the best thing to do is to terminate it on a router at each end or on an L3 switch at each end. This will allow you to employ routing, so that any traffic (typically broadcast traffic) meant to stay within your site should stay there.
Depending on the type of fiber link, you may have a “dark fiber” link where there is no ISP equipment on the link itself, and you can terminate it directly onto your equipment, or you may have a “lit fiber” link, where the ISP terminates the fiber and provides you with an Ethernet interface to connect your equipment to.
In the first case, you must terminate the fiber optic cable onto your equipment, which can be done using an SFP connector on a switch or router that has an SFP interface. The following image shows an SFP transceiver and how it is installed in the appropriate switch port:
Keep in mind that the type of fiber optic cable (mutli mode (MM) or single mode (SM)) should match the type of transceiver used.
Beyond the physical connection, there are no specialized configurations that are necessary for terminating fiber optic cable onto a switch. The port can be configured in the same way as you configure any copper Ethernet port.
If you do end up terminating on an ASA, the ASA must have an available SFP port and transceiver. The configurations would be similar to what you would configure on an Ethernet port.
Remember that if you do end up using the firewall, you won’t need any VPN configurations. Since the fiber functions as if it is part of your private LAN, the security and VPN features that you used to connect over the Internet are no longer needed, and would only add unnecessary overhead to your link. Treat such a connection as you would any other internal connection in your enterprise network.
Thank you very much for your response.
So it is a “dark fiber” link as we avoided having ISP equipment. We are using a converter (MC200CM Media Converter) at both ends so pretty much that is been taken care of.
On the configuration part, am wondering; if there is a need to configure a VLAN and assign the port where the fiber is terminated to the VLAN then make it a Trunk link. With this, i can allow other VLANs on this trunk port in order to carry all the traffics and same will be done on the other site. What is your thought on this please?
I am open for better ideas. And would appreciate some config syntax.
Typically, it is best practice to make a WAN link a routed link. If you make the fiber link a trunk, then this means that you are creating subnets that span both sites. So you have some devices at location A on VLAN 10 and some devices at location B on the same VLAN 10. This will cause broadcast traffic to needlessly traverse the fiber link. By terminating the WAN link on a routed port, you are eliminating this.
Now this is best practice, but there are situations where it may be beneficial for you to span your VLANs across multiple sites. If you have few hosts at each site, and your link is fast enough (a fiber link would probably be fast enough) then any detrimental affects of such a topology would probably not cause any problems. But it all depends on your needs and your topology.
Before getting into any configurations, the first thing that must always be done ( in any network design project) is to put down on paper the network topology, the number of hosts, the particular subnets you will be requiring, the estimated bandwidths per subnet/service that you predict, the location of routing, and the types of services that will be running on the network. These must be decided upon and documented before getting to configurations.
However, if you have a specific requirement for a particular part of the network for which we can direct you to a particular lesson that will help you in your configurations, please let us know.
