Overview of EVPN with Transparent Firewall Insertion
In certain scenarios there is a requirement to send all routing traffic through a Layer 2 transparent firewall. However, by default, VXLAN EVPN requires a distributed anycast gateway on all LEAFs.
To address the Layer 2 transparent firewall requirement with VXLAN EVPN, a special topology can be used.
The topology contains the following types of VLANs:
Internal VLAN (A regular VXLAN on TOR Leafs with anycast gateway)
Firewall Untrusted VLAN X
Firewall Trusted VLAN Y
In this topology, the traffic that goes from VLAN X to other VLANS must go through a transparent Layer 2 firewall that is attached to the service leafs.
This topology utilizes an approach of an untrusted VLAN X and a trusted VLAN Y.
All TOR leafs have a Layer 2 VNI VLAN X. There is no SVI for VLAN X.
The service leafs that are connected to the firewall have Layer 2 VNI VLAN X, non-VXLAN VLAN Y, and SVI Y with a HSRP gateway.
VXLAN flood and learn only supports a centralized gateway. This means that only one VPC pair VTEP can have an SVI per VXLAN. No other VTEP can have an SVI on a VXLAN VLAN.
VXLAN only supports an anycast gateway, not a centralized gateway.