Листовка для Cisco Cisco Prime Network Services Controller Adaptor for DFA

Page 27 of 45

◦

Data traffic originating from any of the networks in the RnD VRF toward any other network outside this

VRF will be sent to the firewall for filtering and policy enforcement.

◦

Host and workload networks should be configured using one of these two profiles:

defaultNetworkIpv4EfESProfile for Enhanced Forwarding mode, and defaultNetworkIpv4TfESProfile

for Traditional Forwarding mode.

◦

The FW-INSIDE network should be configured using the following profile:

serviceNetworkIpv4DynamicRoutingESProfile. The firewall will establish dynamic OSPF routing

adjacency with the fabric through the inside interface.

◦

OSPF dynamic routing adjacency from the leaf side is established using OSPF area 0 with process ID 2.

◦

The design does not require enforcement of OSPF Designated Router (DR) and Backup Designated

Router (BDR) roles in the network. However, if such requirements existed, ospf priority 0 should be

configured on the firewalls to prevent them from assuming one of these roles in a given network

segment.

Figure 14. IP Addresses and OSPF Dynamic Routing Adjacencies Between Inside and Outside Interfaces of the Tenant-Edge

Firewall

●

The RnD-EXT VRF is the external partition used as a transit VRF for all traffic originating from the RnD VRF

and destined for the outside world.

◦

The FW-OUTSIDE network is used to connect the outside interface of the tenant-edge firewall:

192.168.14.40/29.

◦

The FW-OUTSIDE network should be configured using the following profile:

externalNetworkIpv4DynamicRoutingESProfile. The firewall will establish dynamic OSPF routing

adjacency with the fabric through the outside interface.

◦

The design does not require enforcement of the OSPF DR and BDR roles in the network. However, if

such requirements existed, ospf priority 0 should be configured on the firewalls to prevent them from

assuming one of these roles in a given network segment.