Re: Route single VRF Traffic to another Interface

otgnwp · ‎11-14-2024

Hi,

We have a requirement where we need to route single VRF (SSOL_Vrf) Traffic in SDA Fabric. Currently all vrf traffic is being forwarded based on default route, as a new requirement we need to forward it to new firewall being a part of SDA Fabric.

Sharing topology below for your reference and Border1 and Fusion 1 switch Configuration for review

Thanks in advance

Regards,

Mohammed Asif

Andrii Oliinyk · ‎11-14-2024

i'd start with analysis of how default route currently injected into VRF (FNs would be good place to start) & then develop action plane to replace it with one from new FW.

otgnwp · ‎11-14-2024

Hi,

Please refer attached Border 1 Switch and Fusion 1 Switch configuration.

Border 1 Switch is part of SDA Fabric. Where as Fusion 1 Switch not a part of SDA fabric. BGP routing Protocol uses between Border 1 switch and Fusion 1 switch to route vrf traffic outside SDA Fabric.

Thanks in Advance

Regards,

Mohammed Asif

Andrii Oliinyk · ‎11-14-2024

it's well known fact that FNs r not part of the Fabric in supported designs as well as VPNv4 BGP AIF Option A is used for BN-FN peering. it doesnt bring any matter to analysis yet to be done. as i said above: start with investigation on FNs of how default route gets injected into VRF.
UPD. i guess simplest way for u would be replacing target VRF's interconnect on FNs from that toward Core to one toward new FW. Injection of default route into VRF on FNs is matter of technique.

Torbjørn · ‎11-15-2024

Am I interpreting this correctly?

Traffic is currently being routed to your fusion node, which in turn is forwarding it directly to the core
You wish to force this traffic to be routed towards your firewall from your fusion node
The firewall is external to the fabric, as shown in your topology drawing

If that is the case I would configure a new "intermediate" VRF on your fusion nodes used only for routing between the border and your firewall. This way you can have one FW interface in each VRF(one in the "SDA peering" VRF and one in the "upstream" VRF) to force traffic through your FW. I would also consider connecting both fusion nodes to the firewall such that you get fusion node redundancy for the VRF.

Please see the following diagram for a better depiction of what I mean:

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

otgnwp · ‎11-15-2024

Hi Torbjon,

Thanks for Response,

Traffic is currently being routed to your fusion node, which in turn is forwarding it directly to the core - Yes
You wish to force this traffic to be routed towards your firewall from your fusion node - Yes, i have Mutliple Vrf Border node, which i need route only one vrf traffic to New Firewall not all vrf Traffic.
Will Intermediate Vrf forward traffic of all vrf or only single vrf i.e; SSOL_Vrf.

Thanks in Advance,

Regards,

Mohammed Asif

Torbjørn · ‎11-15-2024

On your fusion node you should:

Create new intermediate VRF on your fusion node(s)
Move the interface you use for peering against the SSOL_Vrf VN into the new intermediate VRF
Create a new subinterface or move a physical interface connected to your firewall to the intermediate VRF
Configure routing within the new VRF such that you both have a BGP peering against your SDA border handoff and against the firewall.
Create a new subinterface or move a separate physical interface connected to your firewall to your desired "upstream" VRF
Configure routing between the "upstream vrf" on your fusion node and the "upstream vrf" interface of your firewall.

This will result in a configuration that only forces the traffic in your SSOL_Vrf VN through the firewall. Routing for all other VNs should be unaffected by this change.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev