2 leaf switches interconnected via a VPC and acting as Layer 2 for my hosts. The L3 GW for these hosts are on an external Firewall.
A LAG is configured between my Active/Passive Firewalls and the Leaf Switches.The FWs are configured as “External Access” to the fabric. A layer 3 SVI is setup in each vrf for the ICX between the FW and the Leaf Switches using HSRP
Trying to determine whether I can get rid of HSRP and use anycast Gateway instead. How can this be achieved?
You can use anycast gateway, but you’ll have to modify the topology slightly to make it work. Remember, anycast gateway is for the hosts’ default gateways inside the EVPN/VXLAN fabric. It replaces HSRP/VRRP on host VLANs.
If you keep the firewall as the L3 gateway for those host VLANs, you cannot use anycast gateway in that role. If you want to get rid of HSRP and use anycast gateway, you must move the hosts’ default gateways into the fabric (symmetric IRB) and make the firewall a routed upstream next-hop. Does that make sense?
I see , so basically what you’re saying is the Firewall participates in the VXLAN Fabric with it’s own l2vni? In such a case where two vlans on two different switches need to talk to each other, they use their L3VNIs but the packet is always forced via the FW with a static route before the packet gets sent to the host ( which is another l2vni)
Well, not quite. My scenario assumes the firewalls remain outside the VXLAN fabric and act as an upstream next hop rather than the immediate default gateway. The anycast gateway must be in the VXLAN fabric, and would use symmetric IRB, which takes place on the leaf switches.
You wouldn’t typically configure firewalls to act as part of the VXLAN/EVPN fabric with its own L2VNI. In standard designs, the firewall is attached as an external Layer 3 device to border/service leaf switches.
Keep in mind that in such a scenario, when using anycast gateway with symmetric IRB, inter-VLAN traffic between two VLANs on different switches is routed directly within the fabric using L3VNIs. It does NOT automatically traverse the firewall. The traffic flow is optimized: the ingress leaf routes the packet, encapsulates it in the L3VNI, sends it to the egress leaf, which then delivers it to the destination host.
However, if you need firewall inspection for specific east-west flows, you must explicitly insert it using Policy-Based Routing (PBR) or similar service insertion mechanisms - not simple static routes. Does that make sense?