I am going to deploy multi-site EVPN fabric on cisco 9K switches but one of the requirements is to make sure that all communications between any subnets (VNIs) should be passing through firewall to achieve desired security posture.
I don't want to enable filtering on the data plane via any shape or form of ACLs.
Based on the following document https://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/nexus9000/sw/vxlan_evpn/VXLAN_EVPN.pdf
you can create multiple VRFs (per security zone) and use VRF-lite hand off towards vrf-aware Firewall route the traffic between VRFs but what if I want to filter out on VNI level within VRF?
As per the book this use case would require you to use FW as a L2 demarc point making it default gateways for all VNIs but I don't really like this design FW being a bottleneck and use fabric as L2 VPN and missing out all nice features like anycast gateway etc.
Guys any ideas of more elegant solution how you would achieve this?
Thanks a lot.
we can divide the VLAN, some will use any cast GW other will be route toward FW.
This solution looks more like a workaround. OK so if I go for FW as a L3 gateway for my VNIs within VRF would I be still able to stretch those VNIs across DCI to another fabric (l2 VPN) and getting away with not having SVIs on them? Would northbound traffic from those VNIs be pinned to a single DC in this case?
The VRF sandwich approach can be used as well for VNIs with anycast gateway on Leaf switches: