This is what i am trying to design new network, this is just on paper nothing finalized and i am sure it has lots of issue like firewall should be on leaf not border leaf etc. so that is why i am here to clear all those doubts. I have following question related Spine-leaf design.
- If we use
anycast gatewayin this design in that case leaf would be my edge gateway for all hosts connected to that leaf so how doesHost-Awill send traffic toHost-Bvia firewall? - Should i disable anycast gateway so each VLAN traffic route via firewall (my firewall is gateway for all VLANs)
- what do you think about this design or this is not something i should be using?
Best Answer
First of all, you got 6 switches but you named them in pairs. If these switches are not stacked, just use leaf-1 to leaf -4 and boarder leaf-1 boarder-leaf 2.Better notation. I am assuming that you are thinking of using eVPN in your topology.
you can use all topology as you suggested as a layer 2 network, do not use any VLAN IP address, and set your gateways as ASA IP addresses. This is called a centralized model, where routing is done via selected nodes or devices.
Good side: Your configuration will be super easy. you just lay your VXLAN tunnels and you are ready to go. In fact, you can do all your routing on firewalls for getting in and out of topology.
Bad side: Any traffic will go through firewalls even if you don't want it. Imagine you have two hosts on the same leaf in different VLANs. Their traffic will hop through border leaves and come back which will create additional traffic.
If you keep your anycast gateways and set your host's gateway as leaves than you can use Policy-based Routing (PBR) to redirect the traffic to firewalls. You can still choose to do your outside routes either via firewalls or via border leaves. It is better to use symmetric routing in this case.
Goodside: Since you keep your anycast addresses, host-to-host traffic will flow faster with less overlapping traffic.
Bad side: More configuration and more work.