Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3510
Views
0
Helpful
4
Replies

Terminating VRF on the firewall

BirkJones7747
Level 1
Level 1

‎06-07-2019 01:49 PM

What is the best practice of having VRF configured on nexus 7k, with several subnets(VLAN interfaces) but termination on the firewall? At least how to have those configured from the firewall perspective?

I have different security zones to be configured with different subnets and vlans.

Actually the firewall has sub-interfaces and the default gateway is on the firewall. What I want to do is to have the default gateway moved to the nexus, under a VRF and be sent to the firewall for inter-vrf policy processing.

Shall the firewall have the same sub-interfaces? Any insight would be much appreciated.

Thanks

Jones

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-08-2019 07:38 PM

Yes - the firewall can keep a subinterface per VRF. You just need to update the routing in the Nexus VRFs to make the ASA the next hop for inter-VRF communications. You can do it with either static or dynamic (e.g., OSPF, EIGRP) routing.

0 Helpful

BirkJones7747
Level 1
Level 1
In response to Marvin Rhoads

‎06-11-2019 02:57 PM

Under one VRF I have multiple subnets. Like vlan 200, 210 and 300

So here are my questions:

on the nexus:

1. I would have these three interface vlans under the VRF.

2. Should the link connected to the firewall be a trunk port, trunking those vlans?<--- What is the best practice?

3. on the firewall there is no VRF configured. only sub-interfaces for each vlan, how should those be configured?

4. under that VRF then what is the next hop for inter-vrf communications?

Thanks

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to BirkJones7747

‎06-11-2019 07:14 PM

For VLANs in a given VRF, the firewall is not involved. Only between VRFs. Typically we add a "Transit" VLAN to each VRF to connect to the firewall and it is via that subnet that inter-VRF traffic flows.

Either a trunk or separate physical interfaces is fine. Most people choose a trunk (may or may not be part of an Etherchannel to increase throughput and availability) with subinterfaces.

On the firewall subinterfaces are configured one per VLAN (e.g., the transit VLAN for each VRF).

The next hop in each VRF's routing table is the firewall subinterface address for the transit VLAN associated with that VRF.

0 Helpful

BirkJones7747
Level 1
Level 1
In response to Marvin Rhoads

‎06-12-2019 08:55 AM

Hello Marvin

I have those three vlans under a VRF:

200,210,300

as per your recommendations, I should have vlan 555 for example as a transit vlan which is a subnet shared between the nexus interface and the firewall. So on the firewall there would a sub-interface like ethernet0/1.555, am I correct?

So VRF-A has those interface vlans 200,210,300, while VRF-B has 100,200, and 300

so for VRF-B I will again have a transit vlan 666 and have the sub-interface on the firewall? right?

on the nexus I have a 10G port eth1/15, so I will trunk all the required vlans or only the transit vlans?, should the port eth1/15 have sub-interface as well? like eth1/15.555 and eth1/15.666 for the respective transit vlans and trunk on those respective vlans 555 and 666?

Thanks
Jones

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card