You already have a fixed physical design, but need to design the network connectivity on it. The hardware is mostly Catalyst9k.
Basically it's:
L3 access switches <-> L3 transport switches <-> L3 core switches <-> Firewall <-> WAN.
You have X amount of separate networks on the access switches and you want to pass all the traffic from these networks through the firewall, but you also want to use L3 routing on each switch, not just extend L2 from the firewall.
- Option and why I don't want to use it: put all the networks in separate VRFs and use separate routing SVIs between all the switches and configure dynamic routing for all of these VRFs. It's a nightmare to configure and manage it, since you need to configure P2P for all of these networks & configure routing for each on all the switches. If you use only one interface for the transport P2P, the traffic will be routed "directly back" and not through the firewall. Plus using IPV6 as well means double the nightmare. This could be tweaked with some changes in the routing, but I would prefer to keep things as simple as possible, without any "unnecessary" customization.
- Option: VXLANs with a much more simple routing underlay.
- ?
No comments:
Post a Comment