HSRP Design + FW for the routing between the vlan's

karimbruxelles · ‎09-09-2013

Hi,

I have got two L2/L3 Nexus switches configured with L3 Vlan IP's add & HSRP. For the moment all the servers have got a the HSRP Virtual IP on the NEXUS as a GATEWAY.

However the traffic from one vlan to another should pass through the FW and not forwarded straight to the other VLan as I don't want to keep the Traffic and the routing between the Vlan's through the Nexus exclusively.

So what can I do if I want to keep HSRP for my server plus a statefull inspection before a packet is passing through another VLAN.

The fact that I have a route to all the vlan on my nexus I don't know how to force the traffic to goes to FW and than to an X vlan.

Scenario

For the moment

Vlan X Source Server -> GTW (NEXUS HSRP) -> L3 NEXUS -> Destination Server Vlan Y

Goal

Vlan X Source Server -> GTW (NEXUS HSRP) -> L3 NEXUS ->

FW with a static route to the destination -----> Destination Server Vlan Y

Please advise

K

Kyle McKay · ‎09-09-2013

I can think of two ways to accomplish this task.

#1: Place the devices you want seperated by the Firewall into different VRFs. You can then have those VRFs default route to the Firewall which in turn can route between the VLANs.

#2: Utilize Policy-Based Routing on the Nexus switch to define the next-hop manually.

You can say, if source IP address is on VLAN X and destination IP address is on VLAN Y, next-hop is Firewall interface.

In this way, you can prevent traffic from directly traversing between the subnets.

Let me know if you need any additional information.

Thanks.

karimbruxelles · ‎09-10-2013

Hello Kyle,

Thanks a lot for your answer. Indeed Policy-Based Routing seems to be the most easiest action to do.

However I would like to try the first option but I have to analyse and check what can be done, the only vrf I have used untill know it's the mgmt on the Nexus.

I will look for a valid scenario or if you have any good link? anyway I will make my search and get back to you

Again Thanks a lot

K

shajakhan85 · ‎09-10-2013

I suggest for policy based routing on this case.....

n_schloemer · ‎09-10-2013

I have worked in a similar scenario as a service provider and implemented Nexus VRFLite context with sub-interfaces on the ASA along with VDC's.

The VRF method is going to provide the additional scalability and modularity to give you the ease of route manipulation. BTW, i'm assuming the upstream device is an ASA capable of sub interfaces or VLAN routing. If it is not VRF becomes a little more difficult, since you will need to leak routes from a routed port off the Nexus to the upstream FW.

A configuration would be something like this

vlan 100

name VLAN100

vlan 200

name VLAN200

vrf context VLAN100

ip route 0.0.0.0/0 192.168.100.254

vrf context VLAN200

ip route 0.0.0.0/0 192.168.200.254

interface vlan 100

description GATEWAY FOR VLAN 100

ip address 192.168.100.1 255.255.255.0

vrf member VLAN100

interface vlan 200

description GATEWAY FOR VLAN 200

ip address 192.168.200.1 255.255.255.0

vrf member VLAN200

The convenient part about this configuration is it provides full segmentation on the firewall as well as allowing for individualized ACL's, NAT's, and Service-Policy implementations.