06-07-2019 01:49 PM
What is the best practice of having VRF configured on nexus 7k, with several subnets(VLAN interfaces) but termination on the firewall? At least how to have those configured from the firewall perspective?
I have different security zones to be configured with different subnets and vlans.
Actually the firewall has sub-interfaces and the default gateway is on the firewall. What I want to do is to have the default gateway moved to the nexus, under a VRF and be sent to the firewall for inter-vrf policy processing.
Shall the firewall have the same sub-interfaces? Any insight would be much appreciated.
Thanks
Jones
06-08-2019 07:38 PM
Yes - the firewall can keep a subinterface per VRF. You just need to update the routing in the Nexus VRFs to make the ASA the next hop for inter-VRF communications. You can do it with either static or dynamic (e.g., OSPF, EIGRP) routing.
06-11-2019 02:57 PM
Under one VRF I have multiple subnets. Like vlan 200, 210 and 300
So here are my questions:
on the nexus:
1. I would have these three interface vlans under the VRF.
2. Should the link connected to the firewall be a trunk port, trunking those vlans?<--- What is the best practice?
3. on the firewall there is no VRF configured. only sub-interfaces for each vlan, how should those be configured?
4. under that VRF then what is the next hop for inter-vrf communications?
Thanks
06-11-2019 07:14 PM
For VLANs in a given VRF, the firewall is not involved. Only between VRFs. Typically we add a "Transit" VLAN to each VRF to connect to the firewall and it is via that subnet that inter-VRF traffic flows.
Either a trunk or separate physical interfaces is fine. Most people choose a trunk (may or may not be part of an Etherchannel to increase throughput and availability) with subinterfaces.
On the firewall subinterfaces are configured one per VLAN (e.g., the transit VLAN for each VRF).
The next hop in each VRF's routing table is the firewall subinterface address for the transit VLAN associated with that VRF.
06-12-2019 08:55 AM
Hello Marvin
I have those three vlans under a VRF:
200,210,300
as per your recommendations, I should have vlan 555 for example as a transit vlan which is a subnet shared between the nexus interface and the firewall. So on the firewall there would a sub-interface like ethernet0/1.555, am I correct?
So VRF-A has those interface vlans 200,210,300, while VRF-B has 100,200, and 300
so for VRF-B I will again have a transit vlan 666 and have the sub-interface on the firewall? right?
on the nexus I have a 10G port eth1/15, so I will trunk all the required vlans or only the transit vlans?, should the port eth1/15 have sub-interface as well? like eth1/15.555 and eth1/15.666 for the respective transit vlans and trunk on those respective vlans 555 and 666?
Thanks
Jones
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide