Cisco Asa as Vxlan Gateway in IP-Clos
As you see the topology, There is an IP Clos structure. The underlay is the routed portion of the network. The different IGP protocols can be chosen for the underlay. The dynamic routing is important for ECMP(Equal-Cost-Multi-Path). I used two protocols in the following topology.
OSPF(IGP for Underlay)
PIM (Multicast used to handle BUM traffic)
By doing a little search on the internet, you can find the topologies and configs for Vxlan. We can install this topology with BGP EVPN. But you know, simple is the best also to understand much easier. Today, the main goal of this topic is how to run ASA at Vxlan structure as Vxlan gateway.
Why do we use ASA as Vxlan Secure Gateway between "vni"s? The answer is simple. To be much more secure.
Those who wish can find the configs in the attachment.
For this lab, I used the Eve-ng community version. Also, the devices' versions are the following.
Spine and Leaf NXOS: version 7.0(3)I7(4)
ASAv : 9.4(1)
Device Manager Version 7.4(1)
I will use ASDM for configuring. I love cli but not this time :) Let's start this.
Firstly We have to connect ASA to the IP CLOS network. For this, follow the following steps.
The Gig0/0 interface which calls INSIDE is assigned an IP address for connecting to IP CLOS
The Gig0/0 interface is chosen as vtep source by click box.
Not: The mtu of the INSIDE interface for the Vxlan network must be at least 1554 bytes.
if we don't set the MTU as 1554 bytes, the following warning is taken.
Now The ASA is ready to participate OSPF network and Multicast network. Firstly we have to enable OSPF on INSIDE. The details are in the following picture.
Go to Area/Networks portion. Set the Area ID 0.0.0.0 and add the interface network for adjacency
As I am not using OSPF authentication. Select no authentication part. This part is important, authentication on ASA is open by default.
The INSIDE interface is selected as NVE(Network Virtualization Endpoint) so VTEP
Then we have to enable PIM on the INSIDE to join to multicast network at the IP CLOS.
This RP is responsible for all multicast groups (224.0.0.0/4) for this lab. The spine-1 switch is selected RP for this topology. If you want to configure redundant RP. Use anycast RP.
Our configuration is ready to create vni interfaces as Layer3. Every vni will join a multicast group. Respectively the configuration is below for vni10010,vn10030
Vni10010 interface configuration;
vni10030 interfaceconfiguration;
ASAv cli config;
interface GigabitEthernet0/0
nve-only
nameif INSIDE
security-level 100
ip address 192.168.250.1 255.255.255.0
ospf cost 10
ospf authentication null
interface vni10
segment-id 10010
nameif vni10010
security-level 80
ip address 192.168.10.254 255.255.255.0
vtep-nve 1
mcast-group 225.1.2.3
!
interface vni30
segment-id 10030
nameif vni10030
security-level 70
ip address 192.168.30.254 255.255.255.0
vtep-nve 1
mcast-group 225.1.2.30
!
nve 1
encapsulation vxlan
source-interface INSIDE
pim rp-address 1.1.1.1 pimACL_RP bidir
access-list pimACL_RP standard permit 224.0.0.0 240.0.0.0
access-list vni10010_access_in_1 extended permit icmp any 192.168.30.0 255.255.255.0
access-list vni10010_access_in_1 extended deny ip any 192.168.30.0 255.255.255.0
access-list vni10030_access_in extended permit icmp any 192.168.10.0 255.255.255.0
access-list vni10030_access_in extended deny ip any 192.168.10.0 255.255.255.0
mtu INSIDE 9000
access-group vni10010_access_in_1 in interface vni10010
access-group vni10030_access_in in interface vni10030
router ospf 1
network 192.168.250.0 255.255.255.0 area 0.0.0.0
area 0.0.0.0
log-adj-changes
Verification
The underlay network has already been done and it is running properly. It is checked before. Only we will check ASA connection to IP CLOS on CLI.
OSPF adjacency is ok
All "Spines" and "Leafs" routes are on the route table.
Pim neighbor is Ok
Everything is Ok. Let's look at the Vxlan verification and reachability test between R1, R2, R3, and PC1, PC2.
As you see in the picture, R1, R2 and R3 can reach each other. But they can't access the PC1and PC2 because of the firewall.
We need to write firewall rules between vni10010 and vni10030. The best test method is Ping. For this, we have to allow the ICMP protocol between R1,2,3 and PC1,2.
And here is the ping result from R1 to PC1 and PC2;
We can capture the Vxlan traffic with Wiresharkfrom Gig0/0. To take Wireshark from gig0/0 is very simple at Eve-ng. Also if you want to examine in detail, the output of the Wireshark is attached at the bottom.
To see Asa NVE interface detail, type
#show nve 1
if we don't see any VTEP peers, This may be because flooding may not have happened yet. After all, the environment is a flood and learn.
Thanks for reading.
Comentarios