Cisco Asa as Vxlan Gateway in IP-Clos

As you see the topology, There is an IP Clos structure. The underlay is the routed portion of the network. The different IGP protocols can be chosen for the underlay. The dynamic routing is important for ECMP(Equal-Cost-Multi-Path). I used two protocols in the following topology.

  1. OSPF(IGP for Underlay)

  2. PIM (Multicast used to handle BUM traffic)

By doing a little search on the internet, you can find the topologies and configs for Vxlan. We can install this topology with BGP EVPN. But you know, simple is the best also to understand much easier. Today, the main goal of this topic is how to run ASA at Vxlan structure as Vxlan gateway.

Why do we use ASA as Vxlan Secure Gateway between "vni"s? The answer is simple. To be much more secure.

Those who wish can find the configs in the attachment.

For this lab, I used the Eve-ng community version. Also, the devices' versions are the following.

  • Spine and Leaf NXOS: version 7.0(3)I7(4)

  • ASAv : 9.4(1)

  • Device Manager Version 7.4(1)

Asa as Vxlan Gateway

I will use ASDM for configuring. I love cli but not this time :) Let's start this.

Firstly We have to connect ASA to the IP CLOS network. For this, follow the following steps.

  • The Gig0/0 interface which calls INSIDE is assigned an IP address for connecting to IP CLOS

  • The Gig0/0 interface is chosen as vtep source by click box.

Not: The mtu of the INSIDE interface for the Vxlan network must be at least 1554 bytes.

if we don't set the MTU as 1554 bytes, the following warning is taken.

Now The ASA is ready to participate OSPF network and Multicast network. Firstly we have to enable OSPF on INSIDE. The details are in the following picture.

Go to Area/Networks portion. Set the Area ID and add the interface network for adjacency

As I am not using OSPF authentication. Select no authentication part. This part is important, authentication on ASA is open by default.

The INSIDE interface is selected as NVE(Network Virtualization Endpoint) so VTEP

Then we have to enable PIM on the INSIDE to join to multicast network at the IP CLOS.

This RP is responsible for all multicast groups ( for this lab. The spine-1 switch is selected RP for this topology. If you want to configure redundant RP. Use anycast RP.

Our configuration is ready to create vni interfaces as Layer3. Every vni will join a multicast group. Respectively the configuration is below for vni10010,vn10030

Vni10010 interface configuration;

vni10030 interfaceconfiguration;

ASAv cli config;

interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 
 ospf cost 10
 ospf authentication null

interface vni10
 segment-id 10010
 nameif vni10010
 security-level 80
 ip address
 vtep-nve 1
interface vni30
 segment-id 10030
 nameif vni10030
 security-level 70
 ip address
 vtep-nve 1
nve 1
 encapsulation vxlan
 source-interface INSIDE

pim rp-address pimACL_RP bidir

access-list pimACL_RP standard permit
access-list vni10010_access_in_1 extended permit icmp any
access-list vni10010_access_in_1 extended deny ip any
access-list vni10030_access_in extended permit icmp any
access-list vni10030_access_in extended deny ip any

mtu INSIDE 9000

access-group vni10010_access_in_1 in interface vni10010
access-group vni10030_access_in in interface vni10030

router ospf 1
 network area


The underlay network has already been done and it is running properly. It is checked before. Only we will check ASA connection to IP CLOS on CLI.

OSPF adjacency is ok

All "Spines" and "Leafs" routes are on the route table.

Pim neighbor is Ok

Everything is Ok. Let's look at the Vxlan verification and reachability test between R1, R2, R3, and PC1, PC2.

As you see in the picture, R1, R2 and R3 can reach each other. But they can't access the PC1and PC2 because of the firewall.

We need to write firewall rules between vni10010 and vni10030. The best test method is Ping. For this, we have to allow the ICMP protocol between R1,2,3 and PC1,2.

And here is the ping result from R1 to PC1 and PC2;

We can capture the Vxlan traffic with Wiresharkfrom Gig0/0. To take Wireshark from gig0/0 is very simple at Eve-ng. Also if you want to examine in detail, the output of the Wireshark is attached at the bottom.

To see Asa NVE interface detail, type

#show nve 1

if we don't see any VTEP peers, This may be because flooding may not have happened yet. After all, the environment is a flood and learn.

Thanks for reading.

Download RAR • 2KB

Download RAR • 2KB

952 views0 comments