cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1015
Views
1
Helpful
6
Replies

firewall placement

bluesea2010
Level 5
Level 5

Hi,

Right now, I have a traditional l2 server farm with the switches listed below.

aggregation switch and TOR switches.

currently policy enforced between every vlan in the server farm.
All servers' gateways are located within the firewall.

Therefore, the server farm's inter-VLAN traffic  is monitored .

Now Planning to implement vxlan-bgp-evpn(spine and leaf ) with anycast gateway

The question is: Using the distributed any cast gateway set up on the leaf switches, how can I enforce the same policy across vlans?

Also I need to enforce policy for the north south traffic

 

Thanks

Topology is below 

cln dc vxlan.jpg

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

This is a Physical topology, you need also Logically how the traffic flow vial Firewall, East west, and north-south.

Now Planning to implement vxlan-bgp-evpn(spine and leaf ) with anycast gateway   <-- this required re-configure the network, may required downtime.

Look at some design guides to help you understand the traffic flow.

https://www.cisco.com/c/en/us/td/docs/dcn/whitepapers/cisco-application-centric-infrastructure-design-guide.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi ,

There is no east-west traffic . Because distributed anycast gateway is used in every vxlan implementation. Therefore, traffic will hit the gateway on the leaf switches rather than the firewall in that scenario.
According to what I understand, in my case every vlan should be configured under a different vrf, and then do a default route for each vrf to the firewall.

Any advise 

Thanks

Thanks

 

 

sure depends on the firewall in your case, Cisco FTD do understand SGT, if not you can use VN or vrf Lite.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi,

The firewall is  in transparent mode ? 

Thanks

we need to check the documentation transparent mode limitations.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

follow

Review Cisco Networking for a $25 gift card