Showing results for 
Search instead for 
Did you mean: 

Fabric Border Node and Firewall connectivity

Hello everyone,

I have an upcoming project. Network design consists of 9500 as a campus core, 9500s as data center aggregation dist and 9300s as campus edge. Network is current working in traditional fashion.

I would configure DC agg switch as fusion route to do route leaking for DC network and shared services

I will migrate network from traditional to fabric.


The questions are

1. Can we directly connect the firewall to border node but firewall does not support BGP ?
2. How external traffic will be routed on internet if firewall connect to border including Guest VN

Cisco Employee

At this point I asume your 9500 Fusions will be directly connected to borders to do route leaking for Enterprise traffic and not Guest traffic, which is totally fine.


For Guest_VN then you want to add a Firewall to provide external connectivity for this VRF, is that correct? You don't need to run BGP on the firewall, you can rely on static routes instead (which naturally will introduce drawbacks like response-on-failure) or any other protocol.


For example.


Border 1 can configure an L3 handoff peer for Guest_VN which will configure BGP, SVIs and VLANs for Guest_VN.

Take only the SVI to create a p2p peer with the FW.


Border 1 (SVI 3010, IP, VRF Guest_VN) ---------- (Enca Dot1q 3010, FW (Internet Outside/NAT)

Border 1 has a static default route to in VRF Guest_VN , the FW has a specific route to pointing to fabric subnets for Guest_VN.


Of course this is at a very low level and full of assumptions!, I would rather see a diagram of what you intent to do!

@jalejand: Thanks for the quick response. I will post a diagram in a while to ensure we are on same page

Firewall is for external connectivity to internet and WAN for whole enterprise network ( DC, Users, Guest etc)

Hi Jalejand,

Please see the diagram attached.

I see, in that case, you will need a set of routes received via eBGP from Fusions to Borders (you could use RFC1918 for, and as summaries and configure a static route  pointing to the Firewall from every VRF to the Firewall to cover internet traffic.

You will need to setup subinterfaces in the firewall 1 subinterface per VRF per Border, a static route per VRF per Border, BGP would be desired for failure detection. FW can have static routes back to the Fabric, next hop of the subnet will depend on the VRF peer. Question here, only Border 2 will have a link to the FW?

If that is the case, do a static route on Border 2, do network from Border 2 in every VRF to propagate it to Border 1 via iBGP between borders. Additionally, if Border 1 will NEVER be used for internet traffic, you could even configure Border 1 as internal and 2 as Anywhere or External, by doing this, Internet traffic will never go to Border 1.


Both borders will have uplink to Firewalls. 

Firewalls are configured as an HA pair ( active/standby). Primary firewall is connected to Border1 and standby on Border 2

I am not fully into Firewalls and its Active/Standby operation (Standby IPs are available while the Active is?).

Some kind of dynamic routing will be needed being BGP the preferred one, I would be surprised that Firewalls can't run BGP if these are active/standby, which model of firewall?

Content for Community-Ad