https://community.cisco.com/t5/software-defined-access-sd-access/route-single-vrf-traffic-to-another-interface/m-p/5224771#M3712 <P>it's well known fact that FNs r not part of the Fabric in supported designs as well as VPNv4 BGP AIF Option A is used for BN-FN peering. it doesnt bring any matter to analysis yet to be done. as i said above: start with investigation on FNs of how default route gets injected into VRF.&nbsp;<BR />UPD. i guess simplest way for u would be replacing target VRF's interconnect on FNs from that toward Core to&nbsp; one toward new FW. Injection of default route into VRF on FNs is matter of technique.</P> Fri, 15 Nov 2024 10:06:23 GMT Andrii Oliinyk 2024-11-15T10:06:23Z https://community.cisco.com/t5/software-defined-access-sd-access/route-single-vrf-traffic-to-another-interface/m-p/5224716#M3709 <P>Hi,</P><P>We have a requirement where we need to route single VRF (SSOL_Vrf) Traffic in SDA Fabric. Currently all vrf traffic is being forwarded based on default route, as a new requirement we need to forward it to new&nbsp; firewall being a part of SDA Fabric.</P><P>Sharing topology below for your reference and Border1 and&nbsp; Fusion 1 switch Configuration for review</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="otgnwp_0-1731647523699.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/233892i7971E161C061B85D/image-size/medium?v=v2&amp;px=400" role="button" title="otgnwp_0-1731647523699.png" alt="otgnwp_0-1731647523699.png" /></span></P><P>Thanks in advance</P><P>&nbsp;</P><P>Regards,</P><P>Mohammed Asif</P> Fri, 15 Nov 2024 05:16:28 GMT https://community.cisco.com/t5/software-defined-access-sd-access/route-single-vrf-traffic-to-another-interface/m-p/5224716#M3709 otgnwp 2024-11-15T05:16:28Z https://community.cisco.com/t5/software-defined-access-sd-access/route-single-vrf-traffic-to-another-interface/m-p/5224723#M3710 <P>i'd start with analysis of how default route currently injected into VRF (FNs would be good place to start) &amp; then develop action plane to replace it with one from new FW.&nbsp;</P> Fri, 15 Nov 2024 05:53:09 GMT https://community.cisco.com/t5/software-defined-access-sd-access/route-single-vrf-traffic-to-another-interface/m-p/5224723#M3710 Andrii Oliinyk 2024-11-15T05:53:09Z https://community.cisco.com/t5/software-defined-access-sd-access/route-single-vrf-traffic-to-another-interface/m-p/5224729#M3711 <P>Hi,</P><P>Please refer attached Border 1 Switch and Fusion 1 Switch configuration.</P><P>Border 1 Switch is part of SDA Fabric. Where as Fusion 1 Switch not a part of SDA fabric. BGP routing Protocol uses between Border 1 switch and Fusion 1 switch to route vrf traffic outside SDA Fabric.</P><P>Thanks in Advance</P><P>Regards,</P><P>Mohammed Asif&nbsp;</P> Fri, 15 Nov 2024 06:20:36 GMT https://community.cisco.com/t5/software-defined-access-sd-access/route-single-vrf-traffic-to-another-interface/m-p/5224729#M3711 otgnwp 2024-11-15T06:20:36Z https://community.cisco.com/t5/software-defined-access-sd-access/route-single-vrf-traffic-to-another-interface/m-p/5224771#M3712 <P>it's well known fact that FNs r not part of the Fabric in supported designs as well as VPNv4 BGP AIF Option A is used for BN-FN peering. it doesnt bring any matter to analysis yet to be done. as i said above: start with investigation on FNs of how default route gets injected into VRF.&nbsp;<BR />UPD. i guess simplest way for u would be replacing target VRF's interconnect on FNs from that toward Core to&nbsp; one toward new FW. Injection of default route into VRF on FNs is matter of technique.</P> Fri, 15 Nov 2024 10:06:23 GMT https://community.cisco.com/t5/software-defined-access-sd-access/route-single-vrf-traffic-to-another-interface/m-p/5224771#M3712 Andrii Oliinyk 2024-11-15T10:06:23Z https://community.cisco.com/t5/software-defined-access-sd-access/route-single-vrf-traffic-to-another-interface/m-p/5224789#M3713 <P>Am I interpreting this correctly?</P><OL><LI>Traffic is currently being routed to your fusion node, which in turn is forwarding it directly to the core</LI><LI>You wish to force this traffic to be routed towards your firewall from your fusion node</LI><LI>The firewall is external to the fabric, as shown in your topology drawing</LI></OL><P>If that is the case I would configure a new "intermediate" VRF on your fusion nodes used only for routing between the border and your firewall. This way you can have&nbsp;one FW interface in each VRF(one in the "SDA peering" VRF and one in the "upstream" VRF) to force traffic through your FW. I would also consider connecting both fusion nodes to the firewall such that you get fusion node redundancy for the VRF.&nbsp;</P><P>Please see the following diagram for a better depiction of what I mean:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="community.png" style="width: 370px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/233901iB77E01C686158C8C/image-size/large?v=v2&amp;px=999" role="button" title="community.png" alt="community.png" /></span></P> Fri, 15 Nov 2024 08:50:50 GMT https://community.cisco.com/t5/software-defined-access-sd-access/route-single-vrf-traffic-to-another-interface/m-p/5224789#M3713 Torbjørn 2024-11-15T08:50:50Z https://community.cisco.com/t5/software-defined-access-sd-access/route-single-vrf-traffic-to-another-interface/m-p/5224795#M3714 <P>Hi Torbjon,</P><P><SPAN class=""><SPAN class="">Thanks for Response,</SPAN></SPAN></P><OL><LI>Traffic is currently being routed to your fusion node, which in turn is forwarding it directly to the core - Yes</LI><LI>You wish to force this traffic to be routed towards your firewall from your fusion node - Yes, i have Mutliple Vrf Border node, which i need route only one vrf traffic to New Firewall not all vrf Traffic.</LI><LI>Will Intermediate Vrf forward traffic of all vrf or only single vrf i.e; SSOL_Vrf.</LI></OL><P>Thanks in Advance,</P><P>&nbsp;</P><P>Regards,</P><P>Mohammed Asif</P><P>&nbsp;</P><DIV class="">&nbsp;</DIV> Fri, 15 Nov 2024 09:29:36 GMT https://community.cisco.com/t5/software-defined-access-sd-access/route-single-vrf-traffic-to-another-interface/m-p/5224795#M3714 otgnwp 2024-11-15T09:29:36Z https://community.cisco.com/t5/software-defined-access-sd-access/route-single-vrf-traffic-to-another-interface/m-p/5224807#M3715 <P>On your fusion node you should:&nbsp;</P><OL><LI>Create new intermediate VRF on your fusion node(s)</LI><LI>Move the interface you use for peering against the&nbsp;<SPAN>SSOL_Vrf VN into the new intermediate VRF</SPAN></LI><LI><SPAN>Create a new subinterface or move a physical interface connected to your firewall to the intermediate VRF</SPAN></LI><LI><SPAN>Configure routing within the new VRF such that you both have a BGP peering against your SDA border handoff and against the firewall.</SPAN></LI><LI>Create a new subinterface or move a separate physical interface connected to your firewall to your desired "upstream" VRF</LI><LI>Configure routing between the "upstream vrf" on your fusion node and the "upstream vrf" interface of your firewall.</LI></OL><P>This will result in a configuration that only forces the traffic in your&nbsp;<SPAN>SSOL_Vrf VN through the firewall. Routing for all other VNs should be unaffected by this change.</SPAN></P> Fri, 15 Nov 2024 09:54:20 GMT https://community.cisco.com/t5/software-defined-access-sd-access/route-single-vrf-traffic-to-another-interface/m-p/5224807#M3715 Torbjørn 2024-11-15T09:54:20Z