Firewall Sub-Interface Across Spine to Leaf for VLAN isolation and Firewall security


Currently we have SVI's configured on our MLAG. We'd like to create sub-interfaces on our firewall present those via trunks to our VLANs. But we are running BGP between Firewall - Spines and Leafs.

1 reply

Hey Victor, been a while.

Sounds like you're trying to create 2 routing/security domains and hairpin traffic between them to the firewalls.

If that's a correct interpretation; it's a pretty classic use-case of VRFs. https://docs.cumulusnetworks.com/display/DOCS/Virtual+Routing+and+Forwarding+-+VRF

Obviously, I wouldn't recommend just adding VRF's w/o properly considering the design implications though.

I believe we've got a call setup tomorrow to discuss. Looking forward to that.

-Doug

Reply