cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
AMA event- Migrating Existing Networks to Cisco ACI
1430
Views
0
Helpful
1
Replies
Highlighted
Beginner

Stateful Firewall with ACI Security Groups

Team

 

 I have a question related to the Security Groups in ACI. Today in DC we add Stateful Firewall to filter the east-west traffic. With ACI when we create SG's or EPG's and we remove the appliances (L4-7) and we just create contracts between the EPG's, but we keep the L4-7 appliances mainly to filter the North-South traffic (between Web - App - DB tiers). 

 

The questions are,

 

- What features do I lose if I change the stateful firewall with a contract?

- Does that add risk and make the setup vulnerable? How?

- How to overcome this issue? as adding service chain inside the tier (ex. APP) would cause a performance issue. 

- Does Tetration solve this problem, how?

 

I truly appreciate your inout and if you have a document that talks about the same. 

 

Best Regards;

 

Maj

 

 

1 REPLY 1
Cisco Employee

Re: Stateful Firewall with ACI Security Groups

Tetration captures traffic on the network to allow you to create whitelist contracts in ACI

You should probably ask ACI the other questions. My understanding is that contracts are simple router ACLs and are not stateful.
CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards
This widget could not be displayed.