2 leaf switches interconnected via a VPC and acting as Layer 2 for my hosts. The L3 GW for these hosts are on an external Firewall.
A LAG is configured between my Active/Passive Firewalls and the Leaf Switches.The FWs are configured as “External Access” to the fabric. A layer 3 SVI is setup in each vrf for the ICX between the FW and the Leaf Switches using HSRP
Trying to determine whether I can get rid of HSRP and use anycast Gateway instead. How can this be achieved?
You can use anycast gateway, but you’ll have to modify the topology slightly to make it work. Remember, anycast gateway is for the hosts’ default gateways inside the EVPN/VXLAN fabric. It replaces HSRP/VRRP on host VLANs.
If you keep the firewall as the L3 gateway for those host VLANs, you cannot use anycast gateway in that role. If you want to get rid of HSRP and use anycast gateway, you must move the hosts’ default gateways into the fabric (symmetric IRB) and make the firewall a routed upstream next-hop. Does that make sense?
I see , so basically what you’re saying is the Firewall participates in the VXLAN Fabric with it’s own l2vni? In such a case where two vlans on two different switches need to talk to each other, they use their L3VNIs but the packet is always forced via the FW with a static route before the packet gets sent to the host ( which is another l2vni)
Well, not quite. My scenario assumes the firewalls remain outside the VXLAN fabric and act as an upstream next hop rather than the immediate default gateway. The anycast gateway must be in the VXLAN fabric, and would use symmetric IRB, which takes place on the leaf switches.
You wouldn’t typically configure firewalls to act as part of the VXLAN/EVPN fabric with its own L2VNI. In standard designs, the firewall is attached as an external Layer 3 device to border/service leaf switches.
Keep in mind that in such a scenario, when using anycast gateway with symmetric IRB, inter-VLAN traffic between two VLANs on different switches is routed directly within the fabric using L3VNIs. It does NOT automatically traverse the firewall. The traffic flow is optimized: the ingress leaf routes the packet, encapsulates it in the L3VNI, sends it to the egress leaf, which then delivers it to the destination host.
However, if you need firewall inspection for specific east-west flows, you must explicitly insert it using Policy-Based Routing (PBR) or similar service insertion mechanisms - not simple static routes. Does that make sense?
Yes, your diagram is conceptually correct. You have your firewalls outside of your VXLAN infrastructure, and connected to the Leaf switches, and the servers are using anycast default gateways. This is the foundation of distributed anycast gateway implementations used in modern data center fabrics.
And the firewalls need to be in transparent mode so that security policies get applied for east-west traffic, correct? There’s no way to force the traffic to the firewall via a route prior or after the l3vni encapsulation process.
Or as you mentioned use some type of PBR to redirect traffic to a firewall before VXLAN encapsulation.
Actually, transparent mode on the firewalls is not mandatory for east-west traffic inspection in VXLAN EVPN fabrics with Anycast Gateway. You can force traffic to a firewall using routing mechanisms before L3VNI encapsulation.
You have multiple options to redirect traffic to firewalls BEFORE VXLAN encapsulation including:
Policy-Based Routing (PBR) - The most common and recommended approach:
Apply PBR on the ingress Anycast Gateway SVI
Match specific traffic flows with ACLs
Set next-hop to the firewall
This intercepts traffic BEFORE the L3VNI routing lookup occurs
Works with standard routed-mode firewalls
VRF Route Leaking:
Export routes from source VRF to a dedicated firewall VRF
Traffic is routed through the firewall as the next hop
After inspection, traffic is returned to the destination VRF
Provides deterministic, scalable path enforcement
Service-Leaf Design:
Deploy firewalls on dedicated service leaf switches
Use PBR or route manipulation to steer traffic to service nodes
Enables centralized or distributed service insertion
For Same-Subnet (L2VNI) Traffic:
Routing-based redirection does NOT work because:
Traffic within the same subnet is bridged at Layer 2
It never hits the Anycast Gateway SVI
No L3 routing lookup occurs
Therefore, PBR and route-based steering cannot intercept it
For same-subnet inspection, you need:
Transparent/inline firewall insertion in the L2 path
Platform-specific L2 service-insertion features (if supported)
Micro-segmentation or host-based security
Or redesign to use L3 segmentation instead of flat L2
So for inter-subnet traffic, routed-mode firewalls with PBR or VRF route leaking are preferred. Transparent mode is only necessary if you must inspect same-subnet (L2) traffic
Now, having said all of that, for your particular topology, the preferred solution is to use PBR to route traffic via the firewall. This can force specific flows through the firewall. An alternative is to split servers into separate VRFs and force all inter-VRF routing through firewall(s).
