2 Fireboxes, 1 WAN on 1 firebox, 2 WANs other firebox, 1 metro-E between


We have a setup that I am not satisfied with and am looking for advice on our setup:

Location 1
m4600 active/passive cluster (both with additional 1x(4x10Gb fiber module))
WAN (2) - Fiber Internet 100mbsx100mbs, Cable modem 300mbsx20mbs
Metro-E - 100mbs (connects to location 2)

Location 2
m670 active/passive cluster (both with additional 1x(4x10Gb fiber module))
WAN (1) - Cable Modem 300mbsx20mbs
Metro-E - 100mbs (connects to location 1)

All Fiber connections are converted to copper at their demarc, though we are trying to change that. FYI, the metro-E is a private connection via ISP. VLANs are allowed on the metro-E interfaces.

Because of the low latency, we would like to use the Fiber Internet for both locations' VoIP and other low-latency traffic. We would like to use the cable modems as failover and low-priority/data traffic. We have about 650 people that use the internet with spikes throughout the day. I am not so much worried about getting recommendations on internet increases (we are working on those) as I am about getting information about how to connect/do the routing for the two firebox clusters.

Does anybody have any thoughts? We are a school and are just trying to get some other opinions.

Thank you in advance.


    SD-WAN will allow you options on sending desired traffic out the fiber WAN interface at Location 1.

    At Location 2, if the metro-E is set as an external interface, then I think that SD-WAN can work here too to send desired traffic out the metro-E interface to Location 1.

    Hopefully others will chime in here.
    And, you can open a support incident to get specific recommendations from a WG rep.

    Thank you.

    Can you have multiple interfaces connected to the same metro-E interface? One being external and one being trusted or optional? I was thinking maybe we could have one interface at location 2 configured as the external interface and getting directed towards the metro-E then out the fiber wan at location 1. However, we also have internal traffic that needs to go over the same metro-E connection. So maybe a second interface on location 2 and location 1 that is trusted or optional to pass the traffic? or maybe even custom...

    I'm not sure.
    That is a question for your metro-E supplier.
    If the subnets are different at each end of the metro-E connection, then I would not think that allowing packets that you consider to be trusted/optional over the metro-E and also allowing traffic that you consider to be external would be impossible.
    You would just need to make sure that your Dynamic NAT entries do not apply to traffic at Location 2 going out the metro-E link - so that those packets would keep their real source IP addrs.

    what happens if the vlans are, for the most part, different, but then some of them are the same? All of the subnets are different though. Does that change the dynamic? We can adjust just about anything, but am just wondering if that creates an untenable situation.

    Open a support incident and get a recommendation from a WG rep.

