The document Cisco Nexus 9000 Series NX-OS VXLAN Configuration Guide, Release 10.2(x) - Configuring Layer 4 - Layer 7 Network Services Integration [Cisco Nexus 9000 Series Switches] - Cisco describes a scenario with a firewall connected to a VxLAN fabric that is providing inter-VRF routing with eBGP as the routing protocol.
Obviously the AS path loop prevention problems needs to be solved since the firewall needs to re-advertise prefixes learnt from one VRF on the fabric to another VRF on the same fabric.
The document says the following: "Various approaches exist, including disabling the rule that BGP drops routes from its own AS, which has further implications to the network. We recommend inserting the “local-as #ASN# no-prepend replace-as” on each firewall peering with different “local-as” per VRF."
Being from a service provider background and knowing the reason why the local-as feature was originally created, my instinct is to use allowas-in 1, which I have tested as working. Since allowas-in 1 limits the extra ASes to 1 and is configured only on the firewall peers, can someone please clarify what "further implications to the network" might mean?
Seeing the same fabric AS number in the path with the intervening FW AS in downstream ASes can be helpful to see rather than "masking" one of the VxLAN VRFs with another AS. My environment also has a scarcity of private ASes so burning an AS on local-as is undesirable.
Can experienced designers weigh in here, specifically as to what "further implications" exist?
Thanks,
Scott