Understanding Centralized Firewall Insertion in EVPN VXLAN Fabrics

 

Centralized Firewall Insertion in an EVPN + VXLAN Fabric

Modern data center networks commonly use VXLAN with EVPN as the control plane to build scalable Layer-2 and Layer-3 fabrics. In a typical deployment, Leaf switches act as VTEPs (VXLAN Tunnel Endpoints) and provide a distributed anycast gateway using symmetric IRB. This allows inter-VLAN routing to occur locally on each Leaf, enabling efficient east-west traffic flow across the fabric.

However, some designs require all traffic to pass through a firewall for security inspection. In such deployments, the firewall becomes the default gateway for all VLANs. This design is commonly referred to as Centralized Routing or Centralized Firewall Insertion.

Typical EVPN VXLAN Architecture

In a standard VXLAN EVPN fabric:

  • Each Leaf switch operates as a VTEP

  • VLANs are mapped to Layer-2 VNIs (L2VNI)

  • VRFs are mapped to Layer-3 VNIs (L3VNI)

  • Each Leaf hosts SVIs with Anycast Gateway IPs

  • Symmetric IRB enables distributed routing between subnets

With this design:

  • Inter-VLAN traffic is routed locally at the ingress Leaf

  • Only routed traffic crosses the overlay

  • The fabric scales efficiently for east-west traffic

Centralized Firewall Gateway Design

In a centralized firewall design, the architecture changes slightly.

Instead of the Leaf switches hosting gateway IP addresses, the firewall owns the default gateway IP for each VLAN.

This results in the following behavior:

  • Leaf switches no longer perform inter-VLAN routing

  • Leaves primarily function as Layer-2 VXLAN bridges

  • All routing decisions are handled by the firewall

The VXLAN overlay still exists, but it is primarily used to extend Layer-2 domains across the fabric.

Control Plane Behavior

From a control plane perspective, EVPN continues to function normally.

The fabric still uses BGP EVPN to exchange endpoint reachability information between VTEPs.

The following EVPN route types are typically used:

  • Type-2 routes – MAC/IP advertisement routes for endpoints

  • Type-3 routes – Inclusive multicast routes for BUM traffic

These routes allow the fabric to maintain a distributed MAC address table across all VTEPs.

The key difference in this design is that:

  • The default gateway IP for each VLAN resides on the firewall

  • Leaf switches do not host SVI gateway addresses

  • IRB routing is not performed inside the fabric

Instead, the EVPN control plane simply ensures endpoint reachability across the overlay network.

Data Plane Operation

East-West Traffic (Between Subnets)

Consider a host attempting to reach a device in a different subnet.

  1. The host sends traffic to its default gateway, which is the firewall.

  2. The host sends an ARP request for the gateway IP.

  3. The ARP request is flooded within the L2VNI across the VXLAN fabric.

  4. The firewall responds with its MAC address.

  5. This MAC address is then advertised via EVPN Type-2 routes.

Once learned, traffic destined for the gateway is forwarded as follows:

  1. The host sends packets to the firewall MAC address.

  2. The ingress Leaf VXLAN-encapsulates the frame.

  3. The packet is forwarded across the fabric to the border Leaf connected to the firewall.

  4. The border Leaf decapsulates the VXLAN packet.

  5. The packet is forwarded to the firewall through a trunk or port-channel interface.

The firewall then:

  1. Performs Layer-3 routing

  2. Applies security policies

  3. Sends the packet back toward the fabric in the destination VLAN

The border Leaf encapsulates the packet again into the appropriate VNI, and the packet is delivered to the destination Leaf.

As a result, all inter-VLAN traffic hairpins through the firewall.

North-South Traffic Flow

For north-south traffic toward the internet or external networks, the behavior is similar.

  1. Hosts send traffic to the firewall (default gateway).

  2. The firewall performs:

    • Security policy inspection

    • NAT (Network Address Translation) if required

  3. Traffic is forwarded to the ISP or external network.

Return traffic flows:

  1. From the ISP back to the firewall

  2. The firewall processes the traffic

  3. The firewall forwards it toward the appropriate VLAN

  4. The border Leaf encapsulates it into VXLAN

  5. The packet is delivered to the correct destination VTEP

EVPN ensures that MAC reachability information is maintained, allowing traffic to reach the correct Leaf switch.

Advantages of Centralized Firewall Insertion

This design provides several benefits:

Full Security Visibility

All traffic flows—both east-west and north-south—pass through the firewall.

Simplified Policy Enforcement

Security policies are enforced in one centralized location.

Easier Compliance and Monitoring

Organizations can easily apply deep inspection, logging, and threat analysis.

Disadvantages

Despite its security advantages, centralized routing introduces some trade-offs.

Reduced Fabric Efficiency

The VXLAN fabric loses the benefit of distributed routing.

Traffic Hairpinning

East-west traffic between subnets must detour through the firewall, increasing latency.

Potential Bottleneck

The firewall can become a performance bottleneck, especially in environments with high east-west traffic volumes.

Reduced Horizontal Scalability

The network becomes dependent on the scaling capacity of the firewall platform.

When to Use This Design

Centralized firewall insertion is commonly used in:

  • Highly regulated environments

  • Security-focused enterprise networks

  • Zero-trust architectures

  • Data centers requiring deep packet inspection

However, many modern deployments use distributed routing with selective firewall insertion to balance performance and security.

Comments

Post a Comment

Popular posts from this blog

Cisco ACI Automation with Ansible

Image
  Modern data centers require rapid provisioning, high scalability, and consistent network configuration . Traditional networking approaches—where engineers manually configure switches and routers—are no longer suitable for dynamic cloud environments. Organizations now need programmable infrastructure where networks can be deployed and managed automatically. This is where Cisco Application Centric Infrastructure (ACI) and Ansible automation play a crucial role. Cisco ACI provides a policy-based software-defined networking (SDN) architecture , while Ansible enables infrastructure automation using simple YAML playbooks . When combined, they allow organizations to automate the deployment and management of entire data center networks. This article provides a deep technical understanding of Cisco ACI automation using Ansible , including architecture, components, workflows, playbooks, and best practices. Introduction to Cisco ACI Cisco Application Centric Infrastructure (ACI) i...
Read more

Modern Data Center Design Principles

Image
 Why Modern DC is Designed? Traditional three-tier networks (Core–Aggregation–Access) struggle with: East–West traffic growth (VM-to-VM, microservices) Scalability limits Inefficient redundancy High latency Modern DCs prioritize: Predictable performance Horizontal scalability Fault tolerance Automation & cloud-like operations What Is Spine–Leaf? A two-tier topology where: Leaf switches connect to servers and endpoints Spine switches interconnect all leaf switches Every leaf connects to every spine There is no leaf-to-leaf or spine-to-spine connection. Specifications: Non-blocking fabric Equal-cost paths (ECMP) everywhere Low, predictable latency (usually 2 hops) Highly scalable by adding spines or leafs Traffic Flow North–South: Server ↔ External network East–West: Server ↔ Server  Spine–leaf is optimized for East–West traffic . Benefits Linear scalability Simplified design Better bandwidth utilization Fast...
Read more

Cisco ACI Data Center Architecture: Integrating Cisco UCS Fabric Interconnect with VMware

Image
  Introduction Modern data centers require software-defined networking, automated provisioning, and scalable compute infrastructure . Cisco provides a powerful stack for this through: Cisco ACI (Application Centric Infrastructure) for software-defined networking Cisco UCS (Unified Computing System) for compute VMware vSphere for virtualization When combined, these technologies create a highly automated, policy-driven data center architecture . This article explains how Cisco ACI connects with Cisco UCS Fabric Interconnect and VMware environments , including the architecture, data flow, and design best practices. Core Components in the Architecture 1. Cisco ACI Fabric Cisco ACI is a policy-driven SDN solution built on a spine–leaf architecture. Main components: APIC (Application Policy Infrastructure Controller) Central controller managing policies and automation. Leaf Switches Connect endpoints such as servers, storage, and hypervisors. Spine Switches Provide high-speed fabric ...
Read more