L2/L3 Site-to-Site via Fiber cable Connection

Hello Samuel

If you are going to replace the VPN with a fiber link, then the use of a firewall to terminate the fiber is not recommended. Firewalls should be placed at the edge of the network, connecting to the ISP and the Internet. Technically you can use the firewalls to terminate the fiber, but their functionality would be lost on such a private WAN link.

If you are going to have a private fiber connection between your sites, the best thing to do is to terminate it on a router at each end or on an L3 switch at each end. This will allow you to employ routing, so that any traffic (typically broadcast traffic) meant to stay within your site should stay there.

Depending on the type of fiber link, you may have a “dark fiber” link where there is no ISP equipment on the link itself, and you can terminate it directly onto your equipment, or you may have a “lit fiber” link, where the ISP terminates the fiber and provides you with an Ethernet interface to connect your equipment to.

In the first case, you must terminate the fiber optic cable onto your equipment, which can be done using an SFP connector on a switch or router that has an SFP interface. The following image shows an SFP transceiver and how it is installed in the appropriate switch port:
Keep in mind that the type of fiber optic cable (mutli mode (MM) or single mode (SM)) should match the type of transceiver used.

Beyond the physical connection, there are no specialized configurations that are necessary for terminating fiber optic cable onto a switch. The port can be configured in the same way as you configure any copper Ethernet port.

If you do end up terminating on an ASA, the ASA must have an available SFP port and transceiver. The configurations would be similar to what you would configure on an Ethernet port.

Remember that if you do end up using the firewall, you won’t need any VPN configurations. Since the fiber functions as if it is part of your private LAN, the security and VPN features that you used to connect over the Internet are no longer needed, and would only add unnecessary overhead to your link. Treat such a connection as you would any other internal connection in your enterprise network.

I hope this has been helpful!