cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2443
Views
10
Helpful
8
Replies

VDC routing and VPCs configuration

juanlarriega1
Level 1
Level 1

Hello experts;

I am in the process of migrating our Core network from Catalyst 6509s to a couple of Nexus 7706 and 5596. We have three different type of Traffic, I will call it three regions, Dev, Test and Prod. I would like to create VDCs for each of these regions and communication between regions, I would like to go thru a Firewall but communications within a region, I like to bypass the firewall and go directly to the device (i.e. Dev Host trying to  reach another Dev Host).

I have the following questions:

1) Can I configure multipel VPCs from one device to multiple VDCs as depicted in the attached diagram 

2) Or should I forget about VPCs between the VDCs and 5596 and just have trunk and port channel connections between the VDCs and 5596?

Thanks;

Juan 

 

2 Accepted Solutions

Accepted Solutions

Hi Juan,

To do VRF I assume that the 7ks will be terminating all your vlans (layer-3). If this is the case you would need to have one transit vlan (connecting the 7ks to PAs) for each region.

Each transit vlan will need be in a separate vrf.  You also need the same amount of vrfs on the PAs. I am not familiar with PA firewalls, but you would need a way to be able to leak the vrfs together, if they need to communicate with each other for some resources, if they don't than there is no need for leaking. Assuming these regions need to have access to Internet, you would have to work with PA to figure out how you can leak all these vrf to global for accessing Internet.  Remember there is complexity involved in configuring all these vrfs, maintaining as well as managing them. If you don't have to keep these regains completely separate from one another and it is not a security requirement, you can simply separate the regions by vlans and use firewall policies to block communication between them.

HTH

View solution in original post

Hi Juan -

This is how I conceptualize your setup at L3.  Each N7k represents your VPC pair, so HSRP or VRRP will be needed.  This is an all static route setup.

We will assume Prod is in the default VRF which you already know how to use since it doesn't require any unique commands.  I'll provide a sample for Dev and you should be able to run from there.

! Create VRF instance and static route
vrf context DEV
ip route 0.0.0.0/0 10.3.255.249
exit
!
! Assume VLAN 300 is handoff network
! Sample shows primary of 2 N7Ks
vlan 300
name DEV-FW-HANDOFF
interface Vlan300
description DEV-FW-HANDOFF
vrf member DEV
ip address 10.3.255.252/29
hsrp version 2
hsrp 300
address 10.3.255.254
priority 110
preempt
!
! Sample DEV VLAN
vlan 301
name DEV-SEGMENT1
interface Vlan301
description DEV-SEGMENT1
vrf member DEV
ip address 10.3.1.2/24
hsrp version 2
hsrp 301
address 10.3.1.1
priority 110
preempt

Since all the routing points to the firewall, you just treat each network like a DMZ and apply rules as needed.

(Things get a little more complicated if you need a dynamic routing protocol.  The example above provides nicely summarizable networks.)

PSC

View solution in original post

8 Replies 8

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

The 5500 series switches don't support VDC. Also, I don't see the 7706 in your drawing, but since you have a couple firewalls (as shown in the drawing) you can put each region in a separate VRF and use the firewalls to allow communications between different segments. Note that the firewalls need to be capable of using contexts (vrfs).   VDC is harder to deploy if you need the regions to communicate with each other or the Internet, as you have to physically connect the segments together.

HTH

Thank you Reza for your reply.

I have two 7706 and I tried to depicted by the boxes on top of the 5596. The VDCs in the first 7706 are depicted "dev-1", "test-1" and "prod-1" the VDCs in the second 7706 are depicted as "dev-2", "test-2" and "prod-2".

The firewall that we are using are Palo Alto Firewalls and I will need to check to see if they support vrfs.

I have another question, can I have a Layer2 connection between between VDCs or inter-VDC connections only support Layer3?

Thanks again Reza

Hi Juan -

Going with your VDC idea I think that you are wasting port-channels and should be doing back-to-back vPCs between the N7K and the N5K.  Each of the VDCs (and vPCs) would need to carry a unique set of VLANs to ensure separation on the N5K, since the 5K doesn't support VDC.

I tend to agree with Reza on this though.  Unless you have separate network teams managing the different VDCs, VRF-Lite is a better solution.  It will provide you a similar functionality in terms of routing table separation and greatly simplify your management.  You'll also burn significantly less ports since you will only need a single back-to-back vPC from the 7Ks to the 5Ks.

For your firewall, I suggest /30 or /29 handoff networks to each DMZ (Prod, Dev, Test) with appropriate routing set up for each.  Traffic within each "region" would be routed based on separate VRF-based routing tables on the N7K (i.e. inter-vlan routing), then default routes point back to the firewall to reach the other network (or internet).

Thank you Paul and Reza, I really appreciate your responses.

I think I am going to take your approach of using VRF-Lite for segmenting the regions but I have a question on the configuration and connectivity of layer 2 devices, switches, with devices having IP prefixes from the different regions. 

I am trying to visualize how a device connected to a switch establishes a session with their corresponding VRF region. I guess a VRF 101 refresher may help. If I can reference the VRF in the switch interface it may help the session establishment.

If you have a comment or sample configuration that can be share, I really appreciate it.

Thank you Both;

Juan 

Hi Juan,

To do VRF I assume that the 7ks will be terminating all your vlans (layer-3). If this is the case you would need to have one transit vlan (connecting the 7ks to PAs) for each region.

Each transit vlan will need be in a separate vrf.  You also need the same amount of vrfs on the PAs. I am not familiar with PA firewalls, but you would need a way to be able to leak the vrfs together, if they need to communicate with each other for some resources, if they don't than there is no need for leaking. Assuming these regions need to have access to Internet, you would have to work with PA to figure out how you can leak all these vrf to global for accessing Internet.  Remember there is complexity involved in configuring all these vrfs, maintaining as well as managing them. If you don't have to keep these regains completely separate from one another and it is not a security requirement, you can simply separate the regions by vlans and use firewall policies to block communication between them.

HTH

Thank you Reza.

Hi Juan -

This is how I conceptualize your setup at L3.  Each N7k represents your VPC pair, so HSRP or VRRP will be needed.  This is an all static route setup.

We will assume Prod is in the default VRF which you already know how to use since it doesn't require any unique commands.  I'll provide a sample for Dev and you should be able to run from there.

! Create VRF instance and static route
vrf context DEV
ip route 0.0.0.0/0 10.3.255.249
exit
!
! Assume VLAN 300 is handoff network
! Sample shows primary of 2 N7Ks
vlan 300
name DEV-FW-HANDOFF
interface Vlan300
description DEV-FW-HANDOFF
vrf member DEV
ip address 10.3.255.252/29
hsrp version 2
hsrp 300
address 10.3.255.254
priority 110
preempt
!
! Sample DEV VLAN
vlan 301
name DEV-SEGMENT1
interface Vlan301
description DEV-SEGMENT1
vrf member DEV
ip address 10.3.1.2/24
hsrp version 2
hsrp 301
address 10.3.1.1
priority 110
preempt

Since all the routing points to the firewall, you just treat each network like a DMZ and apply rules as needed.

(Things get a little more complicated if you need a dynamic routing protocol.  The example above provides nicely summarizable networks.)

PSC

Paul - I am more than greatful to you for taking the time and share your technical knowledge with me and all in poeple in this forum who may need this information.

Thanks again to you and Reza;

Juan 

Review Cisco Networking for a $25 gift card