Hey all,
We have a leaf/spine network with a set of border leaves connected to a firewall (ASA). I'm looking for any advice as to how we could potentially move our setup to pure layer 3, having layer 2 adjacency only on point to point links.
See the following diagram for the current setup: https://imgur.com/a/rdsLc8f
The outside interface of our firewall is connected to a switch , and upstream routers provide a VRRP IP for the default gateway to the internet. We do NAT translations at the firewall for public access to internal private IPs, and we do SNAT for private IPs at the firewall for them to reach the internet.
On the inside interfaces of the firewall, we peer it with BGP to each of the border leaves. The firewall announces a default route into the spine/leaf topology.
What I'm interested in doing is something like this: https://imgur.com/a/QzEy1k5 (edited to show router + firewall active/standby adjacency)
Ideally each side of the firewall (inside and outside) would be BGP peered, and there would be no VRRP. The problem I'm not sure if I can overcome is when NAT comes into play. Are there any ways to make this work where I can have both internal private IPs SNAT to the internet and have NAT rules that map public IPs to private internal IPs? I'm not sure if traffic zones would help here in an async routing case.
Thanks!
No comments:
Post a Comment