Firewall Sub-Interface Across Spine to Leaf for VLAN isolation and Firewall security

  • 17 October 2016
  • 1 reply

Currently we have SVI's configured on our MLAG. We'd like to create sub-interfaces on our firewall present those via trunks to our VLANs. But we are running BGP between Firewall - Spines and Leafs.

1 reply

Hey Victor, been a while.

Sounds like you're trying to create 2 routing/security domains and hairpin traffic between them to the firewalls.

If that's a correct interpretation; it's a pretty classic use-case of VRFs.

Obviously, I wouldn't recommend just adding VRF's w/o properly considering the design implications though.

I believe we've got a call setup tomorrow to discuss. Looking forward to that.