Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
0
Helpful
0
Replies

VXLAN EVPN A/P firewall insertion (attached to different leaf vPC)

MichielVercoutter
Level 1
Level 1

‎04-15-2025 12:34 AM - edited ‎04-15-2025 12:35 AM

Hi,

I am working on a design where I need to connect a Palo Alto firewall cluster (A/P mode) to a VXLAN EVPN fabric, with each firewall being connected to a different vPC leaf pair.

The VXLAN EVPN fabric will use anycast gateway, with the firewall providing the L3 VRF-lite handoff. The goal is to use eBGP between the border leafs and the firewall.

I am now trying to decide what the best routing design is for this handoff.

It seems that the recommended approach is to use BGP peering between the firewall and a unique loopback on each VTEP (4), and use static routes on the firewall pointing to the AGW of the subnet to reach the loopbacks, as shown in this Cisco live session:

MichielVercoutter_0-1744701603131.png

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2025/pdf/BRKDCN-2974.pdf

Can you get the same result by just using a VLAN which is stretched between the different vPC pairs using a L2VNI? The firewall would then peer using BGP with each of the (unique) SVI IP addresses on the VTEPs. Like this there are no static routes needed.

Any pros and cons for each design?

The Cisco Live session also states "Peering can be established with unique SVI addresses on the leaf nodes only for non-VXLAN VLANs". Not sure what they mean by this or why this would be the case.

Thank you for your input!

1 person had this problem
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card