Cisco Cisco Nexus 5010 Switch Libro bianco
![Cisco](https://files.manualsbrain.com/attachments/7380d0050044647c30f5c24bbbf5d0c0b6d9bb84/common/fit/150/50/faa183d287233c52228cfea3dbc2a127fe780f60564fcb0955d9c3d1cd23/brand_logo.png)
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 5 of 75
When data needs to be forwarded between subnets within a given Virtual Routing and Forwarding (VRF) instance
across the fabric, a transit Layer 3 VNI is used. Figure 2 shows a sample VXLAN EVPN network with two subnets
(subnets B1 and B2), their respective SVIs and BDIs, and the Layer 3 VNI (50001) associated with their VRF
instances.
Figure 2. Logical Diagram Showing Hosts in Nonprotected VLANs 111 and 112, their Respective Default Gateway SVIs and
BDIs on Two Different Leaf Switches in the Fabric, and Their VRF Instances with the Layer 3 (Transit) VNI
When a given subnet needs to be protected by the firewall, its respective default gateway is no longer placed within
the fabric, but instead is configured on the firewall. For such a protected subnet, VXLAN EVPN fabric acts only as a
tunnel transport. Because multiple such subnets can terminate on the firewall, this type of firewall often is referred
to as an east-west firewall. In this scenario, workloads within the protected subnet use the east-west firewall as the
default gateway (Figure 3). The firewall enforces security policies for data passing between subnets and maintains
adjacency tables for all workloads from protected subnets (Address Resolution Protocol [ARP] for IPv4 and
Neighbor Discovery Protocol [NDP] for IPv6).
Figure 3. Logical Diagram Showing Hosts in VLANs 101 and 102 and a Firewall Terminating these VLANs as a Default
Gateway for the Respective Subnets
Such a scenario also requires the east-west firewall to have an additional Layer 3 link, which is used to reach any
other networks and connects back to the routed domain (Figure 4).