I have a question regarding DMZ design in our DC. Let me give you some background.
We have
1 rack
2 Spines
2 leafs L3 TOR connected to each spine
ESXI hosts connected to the leafs
1 Palo ALto Active/Standby connected to the Spines
I want to have my DMZ network and internal VM network shared on the existing ESXI hosts.
So the problem im trying to overcome is at my TOR i will have defined SVI,s for
1 Management
2 Vmotion
3 Storage
4 VXLAN
5 VM
6 DMZ
How do i logically separate my DMZ VLAN and VM VLAN from communicating with each other if i have L3 TOR (SVI Configured) and ultimately get my VM traffic to route to the F/W for routing back to the DMZ on the same host
Some of my thoughts are to have a separate VRF?? or extend L2 Vlan from F/W down to Leaf switches
Thx
Best Answer
So basically your problem is that your leafs are acting as routers and they are needed to reach the firewalls, but they route traffic between those VLANs because SVI's are available.
Personally, I'd say that this is an issue with your topology, and that if you're using VXLAN in a spine/leaf setup, you'd connect your firewalls to leafs, and just let the traffic from various VLANS on your hypervisors reach the firewalls without routing in the overlay network. That way you can completely separate traffic for the various VLANs by assigning a unique VNI to each VLAN.
Since you indicated that moving those firewalls to leaf ports was not an option, you could consider adding VTEPs on the spines as well as the leafs. That way you connect your firewalls on layer 2 to your hosts.
I understand that this may not be the solution you're looking for. As you said yourself, you could consider putting each VLAN in its own routing instance (VRFs). I think that may work (if all equipment supports it), since you can then add a route to the firewalls in every VRF and use those firewall to route between the VRFs. I'm not 100% sure if it will work though, I'd test it in a lab setup to be sure.