SDA and Firewall

katerina.dardoufa · ‎05-15-2024

Hello all,

we have implemented SDA, but there seems to be a need for extra firewalling (fine-tuning with SGTs etc is proving to be a bit difficult). Routers are used for fusion functionality (no firewall there), so I was wondering if there is another way to introduce a firewall into the equation. We do have catalyst 9300 so containerized ASAv could be a solution at some point (I am not sure how mature the product is, and what extra steps need to be taken in terms of licensing and the like), so I was looking for a solution with a traditional firewall. I cannot find any relative information (validated design etc). Is such a solution supported? Are there any relevant docs?

Thank you in advance,

Katerina

andy!doesnt!like!uucp · ‎05-15-2024

Not sure about vASA as a guest in BN's(FN's) layer, but if u r using cisco [IA]SRs as FNs u may leverage ZBF per VRF there (pay attention to platform performance here!- Miercom Report - Cisco Catalyst 4500E vs. Brocade FastIron SX 1600 ).
Nevertheless u end up with manual (aka Network Template) configuration on that layer.

Boort · ‎05-15-2024

When you create a network in a VN you have the option to create one that is Layer2-Only. This allows you to have your gateway outside the fabric, for example on a firewall. Note that this feature needs native multicast in your network underlay. Available on dnac 2.3.5 and up i belive

Also note that this is early access on 2.3.5

katerina.dardoufa · ‎05-17-2024

Thank you both Andy and Boort for your suggestions. I will consider both of them and see what best suits our situation.

As far as the L2-only solution goes, can any relevant documentation be shared?

andy!doesnt!like!uucp · ‎05-17-2024

Layer 2 Virtual Networks with Gateway Outside of Fabric - Cisco Community

while u r in the design phase, also consider to walk through BRKCRS-2823.pptx (ciscolive.com) SD-Access Segmentation Design Guide - Cisco Community