Security Policy Synchronization Design
The egress of the DC needs to be protected by a firewall, and network- level DR provides active and standby egresses. After the active/standby switchover, traffic passes through the standby firewall through the egress of the standby DC. To ensure that the traffic is protected by the firewall of the standby DC and pass through the firewall, firewall policies of the active and standby DCs must be consistent.
In the multi-PoD solution, it is recommended that a group of firewalls be deployed in each DC to perform active/standby mirroring. The controller delivers identical configurations and policies to the two groups of firewalls; therefore, these firewalls work in active/standby mode through active/standby routes (Figure 7.35).
FIGURE 7.35 Firewall deployment in the multi-PoD solution.
In a single VXLAN domain, the implementation of the multi-PoD forwarding plane is similar to that in a single DC. BGP EVPN functions as the VXLAN control plane protocol; border, server, and service leaf nodes function as VTEPs; and spine nodes function as RRs. VTEPs function as RR clients and establish BGP peer relationships with spine nodes to advertise EVPN address family routes. The BGP EVPN routes trigger automatic VXLAN tunnel establishment between VTEPs, eliminating the need for manual configuration of tunnels. BGP EVPN advertises host and MAC routes, as shown in Figure 7.36.
One end-to-end VXLAN tunnel is established between two DCs. In Figure 7.37, Leafl in DC A and Leaf4 in DC В run BGP EVPN to transmit MAC or host routes without changing their next hop addresses of the MAC or host routes. As a result, an end-to-end VXLAN tunnel is established between the VTEPs on Leafl and Leaf4 across DCs. VMb2 and VMal in Figure 7.37 are used as an example to illustrate the VXLAN tunnel establishment process and data packet forwarding process in a subnet.
- 1. Control plane
- • Leafl obtains information about VMal, generates a BGP EVPN route, and sends it to Leaf2. This BGP EVPN route carries the export VPN target of the local EVPN instance, and its next hop is the VTEP address on Leafl.
FIGURE 7.36 Forwarding plane design.
- • Upon receipt of the BGP EVPN route, Leaf2 sends it to Leaf3 without changing the next hop of the route.
- • Upon receipt of the BGP EVPN route, Leaf3 sends it to Leaf4 without changing the next hop of the route.
- • Upon receipt of the BGP EVPN route, Leaf4 checks the export VPN target of the EVPN instance that it carries. If the export VPN target carried by the route is the same as the import VPN target of the local EVPN instance, Leaf4 accepts the route. If not, the route is discarded. After accepting the BGP EVPN route, Leaf4 obtains the next hop of the route, which is the VTEP address of Leafl. Leaf4 then establishes a VXLAN tunnel to Leafl according to the VXLAN tunnel establishment process.
- 2. Data packet forwarding
End-to-end VXLAN supports inter-subnet packet forwarding as well as forwarding of known unicast packets and BUM packets on the same subnet. The data packet forwarding process in the end-to- end VXLAN scenario is the same as that in a DC configured with the distributed VXLAN gateway and is therefore not covered here.