I have each server on its own subnet. And they can ping each other.
However, what I want to do is to get the traffic to route through the firewall when going traffic is sent between the nodes.
What would be the recommended way of doing this?
In order to achieve routing via the firewall, you’ll have to influence routing using the various BGP attributes made available to you. If all devices involved are Cisco, then the simplest way to implement this would be to use the weight attribute. This way you can influence the routing locally on each router, and if a route fails, you can still dynamically learn of alternate routes to the destination. Take a look at this lesson for more details:
Thanks. From my understanding this would require the ASA also running BGP?
The issue I see with this and the other methods is when traffic comes back out from the ASA to the border leaf a routing loop will occur.
Yes, the ASA must also be running BGP if you want the whole topology to function with dynamic routing. Now because you only have one link between border-leaf and asav-1, then yes, a loop would occur. To resolve this you can create subinterfaces on the link and adjust IP addressing and routing accordingly so that one subinterface is used for traffic to the ASA and the other for traffic coming from the ASA.
Thanks for your response. Ive created a second link on the ASA but when looking at the traffic flow I see an issue.
If i update the weight on the ASA, then traffic will ingress correctly. And egress based on a default route. Great, but then once the traffic hits the border leaf it will be sent back to the ASA. Any help would be great.
Yes, I see your dilemma. What’s unusual about your configuration is that each device is found within a single AS. This is causing all BGP routing found within each AS to function in the same way. In other words, BGP on your border-leaf device will always be sent to the ASA (when the weight parameter is set accordingly), regardless of the interface it comes in on. I believe that in order to get all traffic to traverse the ASA, you will require more granularity in the way that you are configuring routing. For this reason, one solution is to place both the border-leaf and the ASA in the same AS and configure the routing using an IGP so that all the traffic you want will traverse the firewall as you require it.
From my standpoint getting the traffic into the ASA and back out to the spine is fine. What with BGP weights and default routing, however it is the routing from spine back to leaf 2 which is the problem.