topic Re: NDFC design/deployment doubts with switch roles in Nexus Dashboard

NDFC design/deployment doubts with switch roles

Luis Perez — Thu, 14 Aug 2025 23:54:54 GMT

Looking for some advice related to:

1. If i need to connect endpoints (servers) and also firewalls (L3 connectivity) to leafs, can i use the leaf role or the border role, arent they mutually exclusive?

2. In two layer design (image attached) for a VXLAN EVPN Multiste which role has to be used in the blue switches (i was thinking in border gateway spine) and which role has to be used in the orange switches (related with point number 1)

3. Is possible to connect the external L3 networks or some endpoints to the spines, and left leafs only for endpoints. In this case which role must be used in the blue and orange switches?

Re: NDFC design/deployment doubts with switch roles

Enes Simnica — Fri, 15 Aug 2025 05:52:34 GMT

@Luis Perez as u already know, servers and firewalls go to the leafs – that’s their role. So If those leafs also connect outside the fabric, they just become border leafs, so the roles aren’t exclusive.

In ur two-layer design, blue switches would be Border Gateway Spines if they handle external links, and orange switches stay leafs (or border leafs if they connect outside).

You could hang stuff off the spines, but best practice is to keep them clean and let leafs handle endpoints and external connectivity.

Hope it helps

-Enes

Re: NDFC design/deployment doubts with switch roles

M02@rt37 — Fri, 15 Aug 2025 09:21:21 GMT

Hello @Luis Perez

In a VxLAN EVPN multi-site fabric, the roles of leaf and border leaf are not strictly mutually exclusive !

A leaf switch is normaly responsible for connecting endpoints such as servers, storage, or access switches, while a border leaf is a leaf that also connect to external networks or devices such as firewalls, routers, or WAN links...

This means you can have a single switch acting as both a leaf for server conectivity and a border leaf for L3 external connections. For example, if a top-of-rack device connect to both servers and a firewall, it can be assigned the border leaf role without losing its ability to host endpoints. What is not typical is declaring it as a pure border gatewy spine and still using it for endpoint connections, as the border gateway spine role is designed for centralized inter-site or external routing rather than direct server attachment.

In a two-layer VXLAN evpn multi-site design, the upper-layer switches would typically be configured as border gateway spines. Their role is to terminate the EVPN control plane for the local site and handle inter-site or external L3 connectivity. They usually do not host endpoints and instead focus on high-speed transit, route exchange, and policy enforcement at the edge of the fabric.

The lower-layer switches would be the leaf layer, responsible for ataching endpoints. If those switches also connect to external firewall or routers, they would take on the border leaf role so that they can handle both endpoint traffic and external routing.

It is technically possible to connect external L3 networks directly to spines, and in some collapsed designs this is done to avoid dedicating hardware for border leaf functions... In your case, the blue switches would still be considered border gateway spines, and the orange switches could remain pure leafs dedicated to endpoint connectivity.

But best approach is to keep spines as pure transit nodes to maintain design consistency and simplify policy management.

Re: NDFC design/deployment doubts with switch roles

Luis Perez — Fri, 15 Aug 2025 14:18:15 GMT

Thanks @Enes Simnica and M02@rt37 just to clarify:

- Avoiding that the best approach is to maintain spines clear and used as pure transit nodes, in the bordger gateway spine role is possible to connect the DCI and also external connections like routers or Firewalls? Is that role ok or super spine border gateway role must be used? How can this impact in the policy management, the question is related with a rack space, and cabling restriction.

- Maybe i do some in the wrong way but trying in dcloud, when i use the border role for a leaf and then configure and attach networks to that border leaf, anycast gateway of the network wasnt be deployed on the border leaf, so im confused about if the leaf role and border role are mutually exclusive

Re: NDFC design/deployment doubts with switch roles

M02@rt37 — Fri, 15 Aug 2025 14:37:59 GMT

You're so welcome @Luis Perez.

Yes, if you want to keep your spines “clean” as pure transit devices, that’s the most maintainable and predictable design, but it’s not the only option...

A border gateway spine is allowed to terminate both the DCI (site-to-site connectivity) and external connections such as routers, WAN edges, or firewalls. You don’t have to introduce a separate “super spine border gateway” role unless you have a multi-tier spine architecture or very large-scale multi-pod/multi-site deployments where you want an additional layer for policy isolation. Using the border gateway spine for both DCI and external routing is perfectly valid, but it does mean your routing and security policy configuration will live in the spine layer rather than the leaf layer ! So, this can impact operational flexibility because it concentrate control-plane policy in fewer devices, making change management a bit more sensitive.

On the other hand, in environment with rack space and cabling restrictions, this consolidation can be a practical trade-off, no ?

Re: NDFC design/deployment doubts with switch roles

Luis Perez — Fri, 15 Aug 2025 17:32:23 GMT

Thanks M02@rt37, i will decide if firewalls could be connected to border gateway spine or to leafs accorgin with the cabling constraints but also with the best practices with spine cleans.

What about this second question: "- Maybe i do some in the wrong way but trying in dcloud, when i use the border role for a leaf and then configure and attach networks to that border leaf, anycast gateway of the network wasnt be deployed on the border leaf, so im confused about if the leaf role and border role are mutually exclusive" I want to know which specific role to apply to leaves

Thanks again in advance for your help

Re: NDFC design/deployment doubts with switch roles

M02@rt37 — Fri, 15 Aug 2025 17:38:07 GMT

Ok....

Border and leaf roles are not mutualy exclusive — a border leaf is still a leaf and can host endpoints with anycast gateways if you explicitly attach the vlan/VRF to it in NDFC.

I'm gonna check...

Re: NDFC design/deployment doubts with switch roles

Luis Perez — Mon, 18 Aug 2025 21:18:17 GMT

Thanks M02@rt37 were you able to check the creation of the anycast gateway in a switch with border leaf role after vlan/vrf attachment? i tried last week and didnt found the anycast gateway in the border leaf, so tha cause me confussion.

Regards

Luis

Re: NDFC design/deployment doubts with switch roles

M02@rt37 — Tue, 19 Aug 2025 04:28:32 GMT

Hello @Luis Perez

On 'Network' menu (Fabric Details).

You should be able to configure anycast Gw per nerwork here. After that you deploy the config on Leaf Border (if you need anycast Gw on it) by selecting the device concerned.