Cisco Cisco Nexus 5010 Switch Libro bianco
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 32 of 75
Figure 18. VRF A and VRF B Are Protected VRF Instances in the Fabric. VRF EXT Interfaces with the External World through
the WAN or Edge Router. The Tenant-Edge Firewall in Routed Mode Is Connected to All Three VRF Instances and
Enforces Security Policies for All Traffic Routed between These VRF Instances. The Tenant-
Enforces Security Policies for All Traffic Routed between These VRF Instances. The Tenant-
Edge Firewall’s Default
Route Points to VRF EXT to Reach External Networks
connections can be made using either separate interfaces or IEEE 802.1Q VLAN tags within a single interface.
The connection between the external VRF instance (VRF EXT) and the WAN or edge router is established using
border leaf nodes and is outside the scope of this document. Note that this document assumes that the routing
table for VRF EXT already has a default route (whether statically configured or dynamically learned) that points to
the WAN or edge router.
A typical network connection location for the tenant-edge firewall is at the border leaf nodes. However, border leaf
nodes often are not configured with vPC peering. If vPC dual-attached connection from firewalls is needed, the
firewalls can be also connected to regular leaf nodes.
The firewall deployment scenario, where it is deployed as a default gateway for protected subnets in addition to
protecting entire VRF is covered in the section
” later in this document.
This section discusses the tenant-edge firewall deployment scenarios shown in Figures 19, 20, and 21. These
policies between two or more VRF instances (tenants).