So I got it in my head to try to do some poor man's network segmentation in our DC. I've got two Nexus 9Ks running vPC with SVI's configured with HSRP pointed towards the servers. These SVI's have some older network ranges assigned on them and we're wanting to migrate to newer ones so I was thinking of using multinet so that the server team can re-IP as they can without changing VLANs. I've also got dual-stack on these interfaces so the servers can be configured with IPv6 and the upstream connectivity is our Palo Alto firewalls with OSPF doing dynamic routing and high availability.
To do the segmentation, I'm looking into PVLAN. The problem is, the Palo Alto's have no concept of that so the SVI for each network has to remain on the Nexus 9K. I don't really want to do ACLs, we currently use our firewall for that, so I was thinking of applying IPv4 and IPv6 policy-based routing to force traffic coming in from the PVLAN to the firewall at the next hop. Once approved at the firewall, return traffic would simply follow the dynamic routing path back.
I've done basic research on this and it looks like all of the features are supported but I've run into issues with undocumented bugs on other Cisco platforms when combining things like this.
Here is the list of everything I'm looking at implementing together:
- IPv4 and IPv6 (so all other features have to work with both on the same SVI)
- vPC
- HSRP
- OSPF
- Multinet
- Policy Based Routing
- Private VLAN
Anyone have any experience with using most of these together or see any reason it wouldn't work?
No comments:
Post a Comment