Solved: Re: Seeking Guidance on SDA Deployment - Fusion FWs and BGP Configurat - Page 3

thenetadmin · ‎10-30-2024

Hey Cisco Community,

Sorry for long post.

We are working on an SDA solution for a customer who plans to retain a pair of 3rd party firewalls as the fusion device. This is entirely greenfield deployment.

Network design involves connecting border nodes to the fusion firewall via BGP, using VLANs on trunk interfaces (dot1q trunk). I would appreciate some insights from the community on a few questions related to this setup:

We will deploy Catalyst 9600R as border nodes. Should we configure them as a Stackwise pair, or would it be better to set them up as two separate fabric borders?
If we proceed with separate borders rather than a StackWise setup, would we need to manually configure IBGP between the border nodes, or is there an option to automate this in a recent DNAC software release?
Given that the firewalls are in HA mode (active & standby), how would traffic flow be if the borders are configured in either Stackwise mode or as two separate nodes
The customer has two distinct firewalls—one for the Internet Edge (WAN/internet traffic) and another for the Data Center (DC traffic). Should we establish two separate BGP peering—one with the Internet Edge firewall for internet-bound traffic and another with the DC firewall for data center-bound traffic? This would help ensure that internet traffic routes through the Internet Edge firewall and DC traffic routes through the DC firewall.
Should the Cisco WLC connect in the DC or directly to the border nodes? Should be fabric enabled or not?

Thanks in advance.

jedolphi · ‎11-05-2024

That sounds good. One small variation, I have been told that in most recent CatC build that LAN-A will automatically add routed links between primary seed and secondary seed if the cables are present, but I haven't had a chance to test it yet.

thenetadmin · ‎11-05-2024

@jedolphi Thank you. That would be very helpful and icing on the cake

Could you please add your valuable inputs and comments on the attached design especially EBGP and Fusion

Server SVI in Data Center are on Firewall for East-West and North-south control in DC and may be some low critical and shared services like will be on DC Distribution Switch.

jedolphi · ‎11-05-2024

Since fusion switch is VPC you could have port channel between BNs and fusion switches, ASSUMING the VPC switch supports BGP peering over VPC (sorry, I am not up to speed on latest NXOS capabilties). For BN to VPC switch you would need to configure port channels manually, resynch the BNs in CatC Inventory, and then in SDA UI you can add Layer 3 Handoff to port channel.

thenetadmin · ‎11-06-2024

Thanks @jedolphi

If we switch to Fusion Firewalls, given that the two separate deployment firewalls are in HA (Active/Standby) and the two borders are separate, what would the eBGP setup be? Attaching updated diagram in case of Fusion Firewalls

jedolphi · ‎11-06-2024

There's a Cisco Live presentaiton that covers BN + FW designs, please check BRKSEC-2845

thenetadmin · ‎11-07-2024

Thank you @jedolphi for sharing Cisco Live Presentation. It was very and helpful.

Is it possible to assign /29 subnet to Borders for L3 Handoff. Normally it assign /30 per link. can we change it on DNAC to push /29. Appreciate your guidance.

I have attached a slide from Live presentation for information

jedolphi · ‎11-07-2024

Yes can assign whatever subnet mask you require through L3HO automation in CatC SDA app UI. The capabilitiy was added to CatC some time ago, perahps as far back as 2 year ago. Note that BN L3HO IP addressing is either fully automatic (/30s) or fully manual (you type in all the IP addresses and subnet masks into SDA UI).

thenetadmin · ‎11-07-2024

@jedolphi Thank you. Appreciated.

thenetadmin · ‎11-07-2024

Thank you @jedolphi @Andrii Oliinyk for all for your valuable comments. I appreciate it.

Seeking Guidance on SDA Deployment - Fusion FWs and BGP Configuration