Cisco Community
English
Register
Certain Solid State Drives (SSD) modules will stop functioning at 40,000 power-on hours (~4.5 years) if firmware is not updated. REVIEW UPGRADE DETAILS HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
183
Views
10
Helpful
3
Replies
Highlighted
Gleboz
Beginner
Beginner
‎01-21-2021 02:44 PM
‎01-21-2021 02:44 PM

VXLAN EVPN and traffic filtering between VNIs

HI Guys, 

 

I am going to deploy multi-site EVPN fabric on cisco 9K switches but one of the requirements is to make sure that all communications between any subnets (VNIs) should be passing through firewall to achieve desired security posture. 

 

I don't want to enable filtering on the data plane via any shape or form of ACLs. 

 

Based on the following document https://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/nexus9000/sw/vxlan_evpn/VXLAN_EVPN.pdf

you can create multiple VRFs (per security zone) and use VRF-lite hand off towards vrf-aware Firewall route the traffic between  VRFs but what if I want to filter out on VNI level within VRF?

 

As per the book this use case would require you to use FW as a L2 demarc point making it default gateways for all VNIs but I don't really like this design FW being a bottleneck and use fabric as L2 VPN and missing out all nice features like anycast gateway etc. 

Guys any ideas of more elegant solution how you would achieve this?

 

Thanks a lot.

 

Labels:
0 Helpful
Reply
3 REPLIES 3
Highlighted
MHM Cisco World
Rising star
Rising star
‎01-21-2021 03:28 PM
‎01-21-2021 03:28 PM

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/vxlan/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_VXLAN_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_VXLAN_Configuration_Guide_7x_appendix_0111.html

 

we can divide the VLAN, some will use any cast GW other will be route toward FW.
see doc.

Reply
Highlighted
Gleboz
Beginner
Beginner
‎01-21-2021 06:30 PM
‎01-21-2021 06:30 PM

Thanks,

 

This solution looks more like a workaround. OK so if I go for FW as a L3 gateway for my VNIs within VRF would I be still able to stretch those VNIs across DCI to another fabric (l2 VPN) and getting away with not having SVIs on them? Would northbound traffic from those VNIs be pinned to a single DC in this case?

 

0 Helpful
Reply
Highlighted
msdaniluk
VIP Engager VIP Engager
VIP Engager
In response to Gleboz
‎01-21-2021 11:28 PM
‎01-21-2021 11:28 PM

Hi @Gleboz 

The VRF sandwich approach can be used as well for VNIs with anycast gateway on Leaf switches:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/vxlan/configuration/guide/b-cisco-nexus-9000-series-nx-os-vxlan-configuration-guide-93x/b-cisco-nexus-9000-series-nx-os-vxlan-configuration-guide-93x_appendix_011000.html

 

Stay safe,

Sergiu

Reply
Latest Contents
Cisco Nexus Dashboard: Under the hood with Day 2 Operations ...
Created by ukodali on 02-23-2021 11:53 AM
1
5
1
5
Cisco® Nexus® Dashboard revolutionizes operations in today’s modern data-center environments. Join us to learn about the operational efficiencies realized from the seamless user experience of the dashboard and the powerful capabilities of Cisco Nexus Insi... view more
AVE HTML5 Plugin Error
Created by Shankar K on 02-15-2021 11:12 PM
0
0
0
0
Hi Team,   The HTML5 plug installation is successful. But I get the following error while I click on AVE. The other icons are showing up the results except AVE. Please let me know your SME thoughts on this error.   No VmmDomains Found   Tha... view more
Customer Connection Briefing - Next Generation SAN Fabric He...
Created by Kelsy Tibshraeny on 02-15-2021 02:06 PM
1
0
1
0
This session will help administrators and architects leverage SAN Insights Discovery to help understand the current status of their SAN fabric and help identify areas of opportunity for improvement. The attendees will learn the process, architecture, and ... view more
Customer Connection Briefing - Cisco Nexus Dashboard: Under ...
Created by Kelsy Tibshraeny on 02-15-2021 02:04 PM
0
0
0
0
Join us to learn about the operational efficiencies realized from the seamless user experience of the dashboard and the powerful capabilities of Cisco Nexus Insights (NI), Cisco Network Assurance Engine (NAE), and Cisco Multi-Site Orchestrator (MSO). The ... view more
Intersight Terraform Provider Overview
Created by dsoper on 02-09-2021 11:02 AM
0
0
0
0
Cisco Intersight's Terraform Provider is now available in the Terraform Registry at https://registry.terraform.io/providers/CiscoDevNet/intersight/latest.  The provider has Terraform resource and data source support for the wide range of Inters... view more
Content for Community-Ad