topic Re: Terminating VRF on the firewall in Network Security

Terminating VRF on the firewall

BirkJones7747 — Fri, 07 Jun 2019 20:49:26 GMT

What is the best practice of having VRF configured on nexus 7k, with several subnets(VLAN interfaces) but termination on the firewall? At least how to have those configured from the firewall perspective?

I have different security zones to be configured with different subnets and vlans.

Actually the firewall has sub-interfaces and the default gateway is on the firewall. What I want to do is to have the default gateway moved to the nexus, under a VRF and be sent to the firewall for inter-vrf policy processing.

Shall the firewall have the same sub-interfaces? Any insight would be much appreciated.

Thanks

Jones

Re: Terminating VRF on the firewall

Marvin Rhoads — Sun, 09 Jun 2019 02:38:39 GMT

Yes - the firewall can keep a subinterface per VRF. You just need to update the routing in the Nexus VRFs to make the ASA the next hop for inter-VRF communications. You can do it with either static or dynamic (e.g., OSPF, EIGRP) routing.

Re: Terminating VRF on the firewall

BirkJones7747 — Tue, 11 Jun 2019 21:57:15 GMT

Under one VRF I have multiple subnets. Like vlan 200, 210 and 300

So here are my questions:

on the nexus:

1. I would have these three interface vlans under the VRF.

2. Should the link connected to the firewall be a trunk port, trunking those vlans?<--- What is the best practice?

3. on the firewall there is no VRF configured. only sub-interfaces for each vlan, how should those be configured?

4. under that VRF then what is the next hop for inter-vrf communications?

Thanks

Re: Terminating VRF on the firewall

Marvin Rhoads — Wed, 12 Jun 2019 02:14:39 GMT

For VLANs in a given VRF, the firewall is not involved. Only between VRFs. Typically we add a "Transit" VLAN to each VRF to connect to the firewall and it is via that subnet that inter-VRF traffic flows.

Either a trunk or separate physical interfaces is fine. Most people choose a trunk (may or may not be part of an Etherchannel to increase throughput and availability) with subinterfaces.

On the firewall subinterfaces are configured one per VLAN (e.g., the transit VLAN for each VRF).

The next hop in each VRF's routing table is the firewall subinterface address for the transit VLAN associated with that VRF.

Re: Terminating VRF on the firewall

BirkJones7747 — Wed, 12 Jun 2019 15:55:51 GMT

Hello Marvin

I have those three vlans under a VRF:

200,210,300

as per your recommendations, I should have vlan 555 for example as a transit vlan which is a subnet shared between the nexus interface and the firewall. So on the firewall there would a sub-interface like ethernet0/1.555, am I correct?

So VRF-A has those interface vlans 200,210,300, while VRF-B has 100,200, and 300

so for VRF-B I will again have a transit vlan 666 and have the sub-interface on the firewall? right?

on the nexus I have a 10G port eth1/15, so I will trunk all the required vlans or only the transit vlans?, should the port eth1/15 have sub-interface as well? like eth1/15.555 and eth1/15.666 for the respective transit vlans and trunk on those respective vlans 555 and 666?

Thanks
Jones