cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1388
Views
4
Helpful
8
Replies

SDA Default borders and firewall fusion

KevinR99
Level 1
Level 1

Hi

We are proposing an SDA solution to a customer.  They intend to retain a pair of 3rd party firewalls as their fusion device.  The intention is to connect each Border to one of the firewalls.  However, since the firewalls are in HA only one will be active. 

Can we deploy 2 x Anywhere Borders and if the traffic is sent to the one connected to the standby firewall the traffic is redirected to the other Border somehow ?  It is expected we will use a dynamic protocol between each Border and the Firewalls.  So while one firewall is active it will peer with its border and send a default route.  The other Border, connected to the standby firewall will not have a peer with the firewall whilst it is standby.

What would the mechanism be, if it is possible, for traffic to find its way to the Border receiving the default route from the active firewall?  Would LISP handle this and direct traffic straight to that border? 

Thank you for any input, Kev

8 Replies 8

Hi Kevin
there r many FWs operating in HA Active/Standby mode with stateful failover. By introducing intermediate L2-switch-stack between your BNs & FW A/S you can achieve that both your BNs will have connectivity with both FW units (1st link to 1st BN , 2nd link to 2nd BN , 3rd & 4th links to FW Active & Standby correspondingly - all switchport mode trunk). Voila - u have classical design for basic connectivity between BNs & FFW. wouldnt it make sense for u?

KevinR99
Level 1
Level 1

I think Lisp Pub/Sub is the answer here.  Both Borders would advertise a default into LISP if they both had a default.  What I would have is kind of a failure scenario where one of my Borders has lost, or didn't have, a default because the standby firewall isn't peering withit over eBGP.  So when a failure happens that causes the firewalls to failover the Border connected to the previous active firewall loses its eBGP peer, the other Border now connected to the newly active firewall establishes an eBGP peering and gets a default.  Lisp Pub/Sub updates the Edge nodes as to what Border now has the default.

Does that sound like the high level description of what will happen ?  Essentially I am creating 2 Anywhere Borders but only one will have a defaut at any time.  Lisp handles telling the Edges where that default is.

Kev

not sure how with only lisp pubsub u will resolve BN-to-FFW HA topic.

I'm struggling to actually understand Lisp Pub/Sub and its uses.  My scenario is I have 2 Anywhere borders and each have a default route for internet traffic.  They will peer with the same firewall HA pair and each receive a default route via BGP.  In a normal operating scenario both Borders have the default and can pass internet traffic to the Firewall and out.  However, what if one Border loses its connection to the firewall and hence its default route.  I can solve that issue with some iBGP config between the Borders but I had thought Lisp Pub/Sub might have been the solution here by tracking the default route and somehow advertising the ability of each Border to pass default traffic.  Then if one Border loses its default Lisp somehow updates the Edges to only send default traffic to the Border that still has its default route.

My iBGP solution is for each Border to advertise their default to the other via iBGP.  While the eBGP route via the firewall exists that is used.  If one Border loses its eBGP default the iBGP one becomes active and any traffic hitting that Border is passed across to the other and out.

Thanks, Kev.

PubSub will remove iBGP from your Fabric: (20) eNTek Knowledge Bite: LISP PubSub | LinkedIn
in the rest u will be left with L1-L3 redundancy to be designed at acceptable by your needs extent.

KevinR99
Level 1
Level 1

Maybe I've not explained my setup correctly.  I am using the extranet policy feature to share my INFRA VN with a customer VN.  Let's call the customer VN Users.  So Users can then use the INFRA VN exit to the internet and shared services.   Regarding iBGP I didn't configure that on the INFRA VN.  DNAC did and deployed a route map against the iBGP neighbours to filter routes.  The iBGP neighbours are my Borders.  Perhaps when you were referring to iBGP in the customer VN's being removed.  Prior to Lisp Pub/Sub I did use iBGP between the Borders in each VN.

Coincidentally the LinkdIn link you reference is exactly what I found and am hoping to use. 

https://www.linkedin.com/pulse/entek-knowledge-bite-lisp-pubsub-entek-it-solutions/

The diagram to the right under the text "Using LISP PubSub in your SD-Access network benefits routing convergence and fabric stability." is precicely what I want. 

 

Dynamic default border is exactly what I need.  I’ll test this.

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2023/pdf/BRKENS-2811.pdf

alberx
Level 1
Level 1

Just Fabric created as Lisp Pub/sub should be enough. I deployed an SD-Access Fabric Network with 3 border on 3 different Data Center. Before Lisp Pub/Sub I had to create iBPG routing config between the 3 borders for VNs redundancy in case any of the fusion routers on the DC fails.

After implementing Lisp Pub/sub I realized is was no necessary to create the iBGP routing. Redundancy test I made powering down the fusion routers were successfull with any impact on the end devices downloading from internet.

Review Cisco Networking for a $25 gift card