cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
216
Views
0
Helpful
2
Replies
Highlighted
Beginner

NX-OS Switch BGP Peer with Itself in different VRF

Dear All,

 

I am implementing an inter-tenant firewall and I would like to know what the most efficient way of setting up the routing would be. Basically, I need to route between a main VRF and several protected VRFs using a firewall to hop between them. Each protected VRF would be advertised a default only. There is an EVPN fabric behind all these so the tenants are kept separate.

 

My current thinking is to run iBGP across the firewall and allow the switch to peer with itself inside a different VRF. I heard that this is possible by changing the MAC address used for the peering? Does anyone know the configuration for this, or could point out a document? My platform is N9k.

 

I have shown the target setup in a diagram.

 

Regards

 

James.

Everyone's tags (3)
2 REPLIES 2
Hall of Fame Expert

Re: NX-OS Switch BGP Peer with Itself in different VRF

Hello James,

looking at your network diagram, we see that the inter mediate firewall is not working in transparent mode but it is a L3 device (and above) with different IP subnets towards the Nexus 9000 different VRFs.

You don't need to change any MAC address at SVI interface level on the Nexus device as there is not direct L2 communication.

The trick of changing the MAC address on one side is needed only if the FW is in transparent mode allowing L2 direct communication.

Using iBGP of a device in main default VRF with the same device in a VRF has the following challenge:

BGP uses the BGP router-id concept, that is chosen for the whole node (at least in IOS, IOS XE devices).

If no command is available to change the BGP router-id on the VRF side, BGP may not be able to setup seeing the same BGP router-id. (This is something to be tested)

In that case you should use a different routing protocol an IGP like OSPF or EIGRP that have this capability.

To be noted, being the FW in routed or NAT mode ( the naming depends on FW vendor) it should take part in the routing.

So if the FW is an ASA EIGRP could be considered.

If the FW is a third party device  OSPF might be your only choice.

I understand you are already using BGP , MP BGP for the EVPN and this would make BGP attractive.

If there is a command that allows to set a different BGP router-id for each VRF on the Nexus you could use iBGP also on the FW and make the FW a route reflector server between the main default VRF and each VRF.

Using the FW as iBGP RRS might even be a workaround for the same BGP router-id issue.

 

 

Edit:

according to the following configuration guide Advanced BGP for Nexus 9000 NX OS 9.3, it is possible to set a BGP router-id in each VRF

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/unicast/configuration/guide/b-cisco-nexus-9000-series-nx-os-unicast-routing-configuration-guide-93x/b-cisco-nexus-9000-series-nx-os-unicast-routing-configuration-guide-93x_cha...

 

Using the FW as iBGP RRS removes the need to setup static routes on the FW, so it should be a better solution.

 

Hope to help

Giuseppe

 

 

Beginner

Re: NX-OS Switch BGP Peer with Itself in different VRF

Hi Giuseppe,

Thank you for taking the time to reply. Presumably with iBGP though, I would need 2x peerings to the firewall for each VRF? The firewall is a Fortigate which can run as a RR server. It sounds like a lot of manual neighbour configuration would be needed.

 

Do you think an alternative would be to run the firewall in transparent mode? Does this allow for sub-interfaces to be setup on the switch vrf at either side, and would these have unique mac addresses?

 

Regards

James.

 

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards