Cisco Cisco Nexus 5010 Switch Libro bianco

Page 5 of 75

When data needs to be forwarded between subnets within a given Virtual Routing and Forwarding (VRF) instance

across the fabric, a transit Layer 3 VNI is used. Figure 2 shows a sample VXLAN EVPN network with two subnets

(subnets B1 and B2), their respective SVIs and BDIs, and the Layer 3 VNI (50001) associated with their VRF

instances.

Figure 2. Logical Diagram Showing Hosts in Nonprotected VLANs 111 and 112, their Respective Default Gateway SVIs and

BDIs on Two Different Leaf Switches in the Fabric, and Their VRF Instances with the Layer 3 (Transit) VNI

When a given subnet needs to be protected by the firewall, its respective default gateway is no longer placed within

the fabric, but instead is configured on the firewall. For such a protected subnet, VXLAN EVPN fabric acts only as a

tunnel transport. Because multiple such subnets can terminate on the firewall, this type of firewall often is referred

to as an east-west firewall. In this scenario, workloads within the protected subnet use the east-west firewall as the

default gateway (Figure 3). The firewall enforces security policies for data passing between subnets and maintains

adjacency tables for all workloads from protected subnets (Address Resolution Protocol [ARP] for IPv4 and

Neighbor Discovery Protocol [NDP] for IPv6).

Figure 3. Logical Diagram Showing Hosts in VLANs 101 and 102 and a Firewall Terminating these VLANs as a Default

Gateway for the Respective Subnets

Such a scenario also requires the east-west firewall to have an additional Layer 3 link, which is used to reach any

other networks and connects back to the routed domain (Figure 4).