03-11-2023 03:44 AM
Hi,
Right now, I have a traditional l2 server farm with the switches listed below.
aggregation switch and TOR switches.
currently policy enforced between every vlan in the server farm.
All servers' gateways are located within the firewall.
Therefore, the server farm's inter-VLAN traffic is monitored .
Now Planning to implement vxlan-bgp-evpn(spine and leaf ) with anycast gateway
The question is: Using the distributed any cast gateway set up on the leaf switches, how can I enforce the same policy across vlans?
Also I need to enforce policy for the north south traffic
Thanks
Topology is below
03-11-2023 04:32 AM
This is a Physical topology, you need also Logically how the traffic flow vial Firewall, East west, and north-south.
Now Planning to implement vxlan-bgp-evpn(spine and leaf ) with anycast gateway <-- this required re-configure the network, may required downtime.
Look at some design guides to help you understand the traffic flow.
03-11-2023 09:22 AM - edited 03-11-2023 09:23 AM
Hi ,
There is no east-west traffic . Because distributed anycast gateway is used in every vxlan implementation. Therefore, traffic will hit the gateway on the leaf switches rather than the firewall in that scenario.
According to what I understand, in my case every vlan should be configured under a different vrf, and then do a default route for each vrf to the firewall.
Any advise
Thanks
Thanks
03-12-2023 04:52 AM
sure depends on the firewall in your case, Cisco FTD do understand SGT, if not you can use VN or vrf Lite.
03-13-2023 10:21 PM
Hi,
The firewall is in transparent mode ?
Thanks
03-15-2023 07:35 PM
we need to check the documentation transparent mode limitations.
03-11-2023 09:52 AM
follow
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide