How to Implement VXLAN in My Current Lab to Isolate DMZ and Inside

shahi22 · ‎07-23-2025

Hi everyone,

I'm currently studying VXLAN and trying to understand its benefits and real use cases. I’ve built a lab with the following setup:

A FortiGate firewall connected to the internet.
Two Nexus 9K Core switches connected with vPC for redundancy.
Two Nexus 9K ToR (Top of Rack) switches, also configured with vPC.
Port-channel 20 connects the Core and ToR switches (four physical links).
A server connected to both ToR switches via Port-channel 30.

I’ve configured SVIs and VRFs on the Core switches to isolate DMZ and Inside zones, with each zone having independent internet access through the FortiGate

my goal:

I want to apply VXLAN to provide zone isolation (DMZ / Inside), while maintaining redundancy and possibly better scalability.

my questions:

In my current topology, what problem or limitation would justify implementing VXLAN?

Is VXLAN just an enhancement over vPC, or should I replace vPC with VXLAN EVPN for this design?

Do I need to redesign anything in my current setup to implement VXLAN properly?

my lab:

Pavel Tarakanov · ‎07-23-2025

In terms of physical connection it's probably ok, but to make sense in VXLAN deployment, it's better to add one more pair of TOR switches, and move CORE switches to spine role (remove VPC from them), and TOR - to leaf.

Firewall connection then can be moved from core to new pair of leaf switches.

Then you need to move all links between switches to L3 and configure underlay, configure VTEP, BGP and so on.

https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/103x/configuration/vxlan/cisco-nexus-9000-series-nx-os-vxlan-configuration-guide-release-103x.html