Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
210
Views
0
Helpful
1
Replies

Connecting BVI Firewall to VXLAN Spine

Beazle
Level 1
Level 1

‎03-26-2024 05:18 AM

We are looking into implementing VXLAN in our Data Center and the question of where to connect our Data Center firewalls came up. We have 2 relatively small Data Centers with firewalls in each running HA. Our Data Center firewalls use BVIs. In a spine leaf topology is there any reason to not attach the firewalls to the spine? My thought is to have the Data Center subnets terminated on the leafs running anycast gateway so there is an active gateway in each Data Center. We would then have our firewall transit networks on the Spines. That way regardless of which leaf a host connects to they route up to the spine where they hit their firewall transit network to traverse the firewall, then they either leave the Data Center or traverse back down to the appropriate leaf to reach the destination host.

I have read a lot where people say to connect the firewalls to the leafs, but is what I describe a valid design?

 

Labels:
0 Helpful
1 Reply 1

Greg Gibbs
Cisco Employee
Cisco Employee

‎03-26-2024 02:22 PM

This space is intended for questions related to Cisco ISE and NAC solutions. It sounds like this may be a question related to ACI (although that's not specified), so you would be better posting it to the relevant Data Center space.

0 Helpful
Customers Also Viewed These Support Documents