Tuesday, December 15, 2020

VXLAN & Firewalls

Hi, got a bit of a problem with a project I've just picked up from someone who has left our company. A customer has 2 DCs, both have a pair of HA ASA's in each DC that do not support clustering. My predecessor implemented VXLAN across both DCs, assuming that the firewalls just did routing for internal traffic, but no, they actually do have a large ruleset on them. His intention was to move the gateway from the firewalls to an Anycast gateway on the VXLAN switches, but we can not do this as all the traffic would be unfiltered impacting the customer's security posture.

One solution, other than buying new firewalls that do cluster (100k's worth of firewalls) was to forward the traffic up to the firewalls from the VXLAN switches via an L3 out, using VRF's to keep the VXLAN traffic separate, advertising host routes via BGP so when a VM moves from one DC to another they will not trombone over the DC interconnect. I'm not keen on this design as I suspect we'd get into firewall bilateral routing hell, but I'm interested to see what other people think of it.



No comments:

Post a Comment