cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
183
Views
10
Helpful
3
Replies
Highlighted
Beginner

VXLAN EVPN and traffic filtering between VNIs

HI Guys, 

 

I am going to deploy multi-site EVPN fabric on cisco 9K switches but one of the requirements is to make sure that all communications between any subnets (VNIs) should be passing through firewall to achieve desired security posture. 

 

I don't want to enable filtering on the data plane via any shape or form of ACLs. 

 

Based on the following document https://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/nexus9000/sw/vxlan_evpn/VXLAN_EVPN.pdf

you can create multiple VRFs (per security zone) and use VRF-lite hand off towards vrf-aware Firewall route the traffic between  VRFs but what if I want to filter out on VNI level within VRF?

 

As per the book this use case would require you to use FW as a L2 demarc point making it default gateways for all VNIs but I don't really like this design FW being a bottleneck and use fabric as L2 VPN and missing out all nice features like anycast gateway etc. 

Guys any ideas of more elegant solution how you would achieve this?

 

Thanks a lot.

 

3 REPLIES 3
Highlighted
Rising star

Highlighted
Beginner

Thanks,

 

This solution looks more like a workaround. OK so if I go for FW as a L3 gateway for my VNIs within VRF would I be still able to stretch those VNIs across DCI to another fabric (l2 VPN) and getting away with not having SVIs on them? Would northbound traffic from those VNIs be pinned to a single DC in this case?

 

Highlighted

Content for Community-Ad