L3 Handoff

SaraZeko · ‎11-18-2022

Hello,

We are deploying SDA to one of our customers and we need to built the overlay where we are using CAT 9500 as a collocated border and control node and Firewalls as an upstream devices connected to the borders. In the design we have only one VRF for all of the endpoints in the fabric and the border nodes will be deployed as an external type of borders since they are directly connected the to the FW as a getaway of last resort and the rest of the infrastructure is located behind the firewall including WLC, DNA and ISE.

My question regarding the deployment is do we need to configure a L3 handoff and is this necessary and must have for the north-south traffic which comes and leaves the fabric? We are not using any kind of routing protocol for inbound and outbound traffic to and from the fabric but instead a default route configured in the GRT that points to Firewall as the gateway of last resort. On the other side a static route for the overlay subnet is configured on the FW that point to both of the border nodes with same distance to achieve ECMP.

Kind regards,

Sara

PabMar · ‎11-18-2022

Hi SaraZeko,

I have created this video with a similar setup, 2x borders with L3 Handoff to a single Firepower for Guest users. Should be a similar setup to yours.

In your case you have two Firepowers in HA so you'll need to enable ECMP for asymmetric routing to work. You can take a look at this CiscoLive session that covers how to go about it.

GRT will be for your underlay traffic, while your overlay traffic (VN / VRF traffic) will be carried over VRF-Lite to the FW. Once in the FW you can decide what to do with that traffic with your policies.

Hope that helps.

Regards.