in
IEOC CCIE Forums

IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 03-16-2017 1:50 AM by egon dragon. 5 replies.
Page 1 of 1 (6 items)
Sort Posts: Previous Next
  • 03-06-2017 8:54 AM

    Firewalls and Cisco nexus 9k

    Hi

     

    I post this news about Firewalls and Cisco nexus 9k configured in VPC

    I want to connect a couple of Firewalls on a pair of Nexus clustered using VPC

    My FW are used to filter traffic between VRF (intra VRF traffic is routed by nexus,

    inter VRF are filtered using FW).

     

    The problem is my Firewalls must be independent and I would like to load

    balance the trafic using routing only and without asymmetric routing issue.

    I detail my architecture:

    FW1           FW2

    |    \       /     |

    |      \   /       |

    |        / \       |

    |     /      \     |

    n9k1 === n9k2

     

    On Nexus side I have VPC and dynamic routing activated to advertise routes to

    FW part. My challenge is to make FW independent (no sync between them) and

    Load Balance traffic.

     

    Problem is that if I have 2 VRF and If I dedicated one FW to be active in a VRF

    (and passive in another) and the second one to do the contrary, my traffic is

    asymmetric (go through FW1 when traffic goes from VRF1 to VRF2)

    and through FW2 for the returning traffic (VRF2 -> VRF1), what is impossible

    as my Firewalls are not synchronized.

     

    My question: is there a way (anycast IP for example) to have Load Balancing and HA

    without any sync protocol between a pair of Firewall when attached to VPC cluster ?

    I heard IP Fabric may provide a solution.

     

    Don't hesitate to ask me for any detail.

     

    Regards.

     

    • Post Points: 20
  • 03-07-2017 12:14 AM In reply to

    Re: Firewalls and Cisco nexus 9k

    I'll take a stab

    Understanding your requirements as:
    + redundant solution but both FWs run independently 
    + the resources of both firewalls should be used when there are no failures
    - not a requirement that the resources of both firewalls be actively used for a single security domain(VRF)

    Are the FWs L3 devices?
    Do they use some sort of FHRP for HA?
    each VRF has a VLAN over a trunk link(VPC) to each FW?

    The asymmetrical FW routing problem probably relates to the load balancing and HA technology used for the FWing layer

    Are the inter-VRF traffic routed by the NexiSmile or the FWs?

    Not seeing any issue around the L2 & VPC architecture or that it relates to the problem
    It does add the ability to keep using both FWs in case of a switch failure and keep using both switches in case of a FW failure

     

     

    • Post Points: 20
  • 03-07-2017 1:45 AM In reply to

    Re: Firewalls and Cisco nexus 9k

    Hi

    FW are L3 (no transparent mode)

    No FHRP is used

    Yes each VRF are linked to each FW

    Inter VRF trafic goes through the FW

    The problem is that for trafic going VRF1 ---> VRF2, FW1 is used and a session is created.

    but the response: from VRF2 ---> VRF1 use FW2, so trafic is blocked as no session has been created.

    Regards

     

    • Post Points: 35
  • 03-07-2017 2:31 AM In reply to

    Re: Firewalls and Cisco nexus 9k

    hi

    Within the VRF, is the decision to send the traffic either to FW1 or FW2 done by the routing protocol?

    Current setup:

    ###############################################
    #                                                                                          #
    #                                               (VRFY)                               #
    #      (global or VRFX) - FWs <                                            #
    #                                               (VRFZ)                               #
    #                                                                                          #
    ############################################### 
    e.g the FWs are the hubs between the VRFs 

    Possible to move towards this(logically):

    ###############################################
    #                                                                                          #
    #                                         FWsY - (VRFY)                        #
    #      (global or VRFX) <                                                      #
    #                                         FWsZ - (VRFZ)                        #
    #                                                                                          #
    ############################################### 
    e.g. a VRF/global on the switches are the hub between the VRFs

    This way, the asymmetrical routing happens on the routers/switches(in global/VRFX) and not on the FWs.

    it opens another few can of worms though:
    if the majority of traffic is east-west(local between VRFs), then this could double the total traffic passing through the FWs
    the FWs will require the ability to logically split the interfaces and routing table per VRF (something like CheckPoint VSX)
    you will probably end up with a rule base per VRF, atleast if you are using VSX - could be a good thing

    HTH

    • Post Points: 5
  • 03-16-2017 12:57 AM In reply to

    Re: Firewalls and Cisco nexus 9k

    hi

    did you find a solution or workaround for the problem?

     

    • Post Points: 20
  • 03-16-2017 1:50 AM In reply to

    Re: Firewalls and Cisco nexus 9k

    Hi this may be a good idea

    Thanks very much for your time, I'll try this

    Regards

     

    • Post Points: 5
Page 1 of 1 (6 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved