Routing Traffic via FW

Im building out a small VIRL lab. Its based on:

  • Loopbacks on each node.
  • Each Loopback is advertised via OSPF.
  • EBGP peering is performed between the loopbacks.
  • Each leaf is in its own AS and the spines also have their own AS.

    I have each server on its own subnet. And they can ping each other.
    However, what I want to do is to get the traffic to route through the firewall when going traffic is sent between the nodes.
    What would be the recommended way of doing this?

Hello Rick

In order to achieve routing via the firewall, you’ll have to influence routing using the various BGP attributes made available to you. If all devices involved are Cisco, then the simplest way to implement this would be to use the weight attribute. This way you can influence the routing locally on each router, and if a route fails, you can still dynamically learn of alternate routes to the destination. Take a look at this lesson for more details:

I hope this has been helpful!

Laz

Thanks. From my understanding this would require the ASA also running BGP?
The issue I see with this and the other methods is when traffic comes back out from the ASA to the border leaf a routing loop will occur.

Hello Rick

Yes, the ASA must also be running BGP if you want the whole topology to function with dynamic routing. Now because you only have one link between border-leaf and asav-1, then yes, a loop would occur. To resolve this you can create subinterfaces on the link and adjust IP addressing and routing accordingly so that one subinterface is used for traffic to the ASA and the other for traffic coming from the ASA.

I hope this has been helpful!

Laz

Thanks for your response. Ive created a second link on the ASA but when looking at the traffic flow I see an issue.
If i update the weight on the ASA, then traffic will ingress correctly. And egress based on a default route. Great, but then once the traffic hits the border leaf it will be sent back to the ASA. Any help would be great.

Hello Rick

Yes, I see your dilemma. What’s unusual about your configuration is that each device is found within a single AS. This is causing all BGP routing found within each AS to function in the same way. In other words, BGP on your border-leaf device will always be sent to the ASA (when the weight parameter is set accordingly), regardless of the interface it comes in on. I believe that in order to get all traffic to traverse the ASA, you will require more granularity in the way that you are configuring routing. For this reason, one solution is to place both the border-leaf and the ASA in the same AS and configure the routing using an IGP so that all the traffic you want will traverse the firewall as you require it.

I hope this has been helpful!

Laz

Hi,
The topology has each device in its own AS as shown below:


From my standpoint getting the traffic into the ASA and back out to the spine is fine. What with BGP weights and default routing, however it is the routing from spine back to leaf 2 which is the problem.

Hello Rick

Yes, I understand, it will be sent back to the border-leaf router. You can try placing Spine1 and Spine2 in different AS’es.

Laz