Cisco Cisco Nexus 5010 Switch 白書
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 11 of 75
In cases in which workloads are vPC dual-attached, the relevant configuration needs to be added to the port
channel.
Basic Leaf Configuration for Attaching the East-West Firewall
The following configurations are used on the leaf node attaching to the east-west firewall as shown in
. The
east-west firewall uses at least two logical interfaces to attach to the fabric and prompts the respective
configuration on the fabric leaf node:
●
The Layer 3 subinterface of the firewall, in the case here, for VLANs 101 and 102, has to attach to the
protected subnet. The leaf node should use the exact configuration used to attach workloads.
●
The Layer 3 subinterface of the firewall, in the case here, for VLAN 200, has to attach to the network that is
used to communicate with unprotected subnets in the rest of the fabric.
Configuration 2a: IPVLAN-Based Leaf Switch Connecting to Firewall
feature vn-segment-vlan-based
feature nv overlay
route-map FABRIC-RMAP-REDIST-SUBNET permit 10
match tag 12345
vlan 200
vn-segment 30200
##mapping the vlan 200 to Layer-2 VNI 30200
vlan 101
vn-segment 30101
##mapping the vlan 101 to Layer-2 VNI 30101
vlan 2000
vn-segment 50001
##mapping the vlan 2000 to Layer-3 VRF VNI 50001
vrf context VRF-A
vni 50001
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
interface Vlan200
2
## interface, used for Layer-3 peering with fabric.
no shutdown
vrf member VRF-A
ip address 10.10.200.1/24 tag 12345
## “tag 12345” is used by route-map to redistribute
subnets into BGP
interface Vlan2000
## interface, used as an L3 VRF VNI interface
no shutdown
vrf member VRF-A
no ip redirects
ip forward
2
Please refer to Configuration 3a and Configuration 4a for more details.