Листовка для Cisco Cisco Prime Network Services Controller Adaptor for DFA
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 27 of 45
◦
Data traffic originating from any of the networks in the RnD VRF toward any other network outside this
VRF will be sent to the firewall for filtering and policy enforcement.
◦
Host and workload networks should be configured using one of these two profiles:
defaultNetworkIpv4EfESProfile for Enhanced Forwarding mode, and defaultNetworkIpv4TfESProfile
for Traditional Forwarding mode.
◦
The FW-INSIDE network should be configured using the following profile:
serviceNetworkIpv4DynamicRoutingESProfile. The firewall will establish dynamic OSPF routing
adjacency with the fabric through the inside interface.
◦
OSPF dynamic routing adjacency from the leaf side is established using OSPF area 0 with process ID 2.
◦
The design does not require enforcement of OSPF Designated Router (DR) and Backup Designated
Router (BDR) roles in the network. However, if such requirements existed, ospf priority 0 should be
configured on the firewalls to prevent them from assuming one of these roles in a given network
segment.
Figure 14. IP Addresses and OSPF Dynamic Routing Adjacencies Between Inside and Outside Interfaces of the Tenant-Edge
Firewall
●
The RnD-EXT VRF is the external partition used as a transit VRF for all traffic originating from the RnD VRF
and destined for the outside world.
◦
The FW-OUTSIDE network is used to connect the outside interface of the tenant-edge firewall:
192.168.14.40/29.
◦
The FW-OUTSIDE network should be configured using the following profile:
externalNetworkIpv4DynamicRoutingESProfile. The firewall will establish dynamic OSPF routing
adjacency with the fabric through the outside interface.
◦
The design does not require enforcement of the OSPF DR and BDR roles in the network. However, if
such requirements existed, ospf priority 0 should be configured on the firewalls to prevent them from
assuming one of these roles in a given network segment.