Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2784
Views
20
Helpful
9
Replies

SD-Access Firewall Design

Go to solution
techno.it
Level 1
Level 1

‎12-11-2021 01:49 PM - edited ‎12-12-2021 11:51 AM

Hi Folks,

I have a customer with two Borders collocating control plane and fabric border on the same nodes and all FEs have uplinks to both borders and I have two DC distribution switches that aggregates DC ToR switches. On other hand I got a pair of 2 core firewalls for Internet edge and Data Center segmentation.

Firewalls will forward the traffic inside and outside the network and control east-west traffic between servers and northbound traffic from campus endpoints

.

The question arises where do I place these firewalls in the topology. What is Cisco's validated and secured design for such scenarios. It makes more sense to connect them to Borders and steer traffic as  than I am afraid it may impact firewall performance and secondly in that case how to enforce SGT policies passing through firewall.

 

@jalejand : Appreciate if you can share your valuable inputs

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Hodgdon
Cisco Employee
Cisco Employee
In response to techno.it

‎12-13-2021 08:07 PM

@techno.it ,

Of those two designs, Design 2 is the simpler and would be the way I would go given the choice as long as the firewalls can handle the bandwidth for the DC. I would cross connect both FB/CP to each firewall as you always want to design triangles and not squares. You may or may not need the cross-link between the FB/CP nodes depending on which version of LISP you use (LISP/PubSub or LISP/BGP ... this is a new choice in DNAC 2.2.3.3 and newer). With LISP/PubSub, you would not need to run iBGP between the FB/CP nodes.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

View solution in original post

9 Replies 9

Go to solution
jalejand
Cisco Employee
Cisco Employee

‎12-12-2021 01:50 PM

You could use the Firewall as as "Fusion Routers", meaning as L3 Handoff for Borders.

For SGT enforcement, you can make use of SXP to enforce SGT rules for traffic from inside-to-outside of the fabric. If using FTDs, SXP can be used to learn SGT mappings from inside of the fabric and enfroce them there.


Alternatively, you can use SXP in Fabric Borders to enforce SGT rules inside-to-outside the fabric:

 

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-sda-design-guide.html

}https://community.cisco.com/t5/security-documents/policy-enforcement-within-sda-border/ta-p/3646816

 

 

 

Go to solution
techno.it
Level 1
Level 1

‎12-12-2021 10:37 PM

@jalejand 

L3 handoff on firewall to reach data center, (northbound) may significantly impact firewall performance

Any thoughts on alternative design?

0 Helpful

Go to solution
Scott Hodgdon
Cisco Employee
Cisco Employee

‎12-13-2021 04:49 AM

@techno.it ,

Can you please provide a diagram of this environment ? This will help to make a proper recommendation.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

0 Helpful

Go to solution
techno.it
Level 1
Level 1

‎12-13-2021 06:07 AM

@Scott Hodgdon 

 

I have attached the diagram. I want to stress also the same firewall will also be used for Data Center segmentation.

Preview file
118 KB
0 Helpful

Go to solution
Scott Hodgdon
Cisco Employee
Cisco Employee
In response to techno.it

‎12-13-2021 08:07 PM

@techno.it ,

Of those two designs, Design 2 is the simpler and would be the way I would go given the choice as long as the firewalls can handle the bandwidth for the DC. I would cross connect both FB/CP to each firewall as you always want to design triangles and not squares. You may or may not need the cross-link between the FB/CP nodes depending on which version of LISP you use (LISP/PubSub or LISP/BGP ... this is a new choice in DNAC 2.2.3.3 and newer). With LISP/PubSub, you would not need to run iBGP between the FB/CP nodes.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

Go to solution
techno.it
Level 1
Level 1

‎12-14-2021 06:25 AM

@Scott Hodgdon 

 

In case, if opt for Design 2, how should the firewalls be configured with L3 handoff because I have not seen any technical documentation.

 

By the way, what's your thought on Design 1. I am afraid, L3 handoff on the firewall to reach data center, (northbound) may significantly impact firewall performance

0 Helpful

Go to solution
Scott Hodgdon
Cisco Employee
Cisco Employee
In response to techno.it

‎12-14-2021 07:05 AM

@techno.it ,

The Firewall is just the other side of the L3 handoff configured on the Border. If you use the recommended handoff of BGP on the border, then you will have to run BGP on the firewall as well. However, you can use whatever handoff you want as long as it is a vrf-lite handoff from the border. Anything other than BGP will have to be done manually, and you will have to account for potential loops. One reason we chose BGP for the handoff is that it has loop prevention by default.

As far as design 1, you would just have more handoffs to configure. You would have 4 vrf-lite handoffs versus 2 in Design 2. Fewer handoffs means a simpler environment to support, which is always my goal if it can be done. If bandwidth is a concern and you need to go to Design 1 for that reason, then it is a supported design for sure.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

 

Go to solution
techno.it
Level 1
Level 1

‎12-14-2021 11:19 AM - edited ‎12-14-2021 12:37 PM

@Scott Hodgdon 

 

Design 2 is simple and clear.

In design1, DC and Border switches can be configured as VSS so only 2 handoff will be required. Firewall would be connected to DC switch over transit VLAN and create a default route and import into each VRF for internet connectivity OR can I connect firewalls to borders directly and  default route from the borders for internet could be the firewalls, so as long as I am providing specific routes to the borders for DC subnets.

 

Another point let suppose if the same firewall wanted to be used for segmenting servers in DC, and fabric hosts need connectivity to those servers, how that traffic would be traversed ?

 

0 Helpful

Go to solution
Scott Hodgdon
Cisco Employee
Cisco Employee
In response to techno.it

‎12-14-2021 07:28 PM

@techno.it ,

Once the VXLAN header is removed on the Border, everything after that is just regular IP routing that one would do in any network with vrf-lite. While we do recommend using BGP as a handoff protocol for the reasons previously stated, you don't have to do that. You can send the vrfs to any device you want from the border on any number of connections you want using whatever protocol you want. 

I would not make the Border/CP into a SWV pair just to save on the number of handoffs. There are only a few use cases where SWV is justified for a Border/CP, IMO. An example of this would be if you had 4 Borders and wanted more resilience for the CP function, you could build two SWV pairs from the 4 Borders to in essence give 4 platforms that could host the CP function with 2 being active at any time.

Your last scenario is why I would use Design 2. This would be just normal firewall operations.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card