Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
763
Views
2
Helpful
4
Replies

ACI Design Recommendation

Go to solution
ADC Lane
Level 1
Level 1

‎03-27-2023 02:35 AM - edited ‎03-27-2023 02:36 AM

Hi Team , 

I am going to deloy ACI with diagram as below

 

ADCLane_2-1679909589673.png

 

Could you help me review, is it fine in production environment ? 

Maybe I will L3 out to Firewall and fabric as L3 (GW in fabric), no use managed mode for ADC/FW. Please help share me your recommend ! 

Thank you in advance !

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
naveeku6
Cisco Employee
Cisco Employee

‎04-04-2023 01:59 AM

Hi,

 

Thanks for your response, This is pretty much possible, please fine below answer.

 

If you are using an ACI L3Out to route traffic to an external network and don't want to use the L4-7 graph for additional services, you can configure OSPF as the routing protocol and use a Bridge Domain (BD) as the gateway for the external network.

To do this, you can follow the below steps:

  1. Create a Bridge Domain (BD) in the ACI fabric and associate it with a VLAN or subnet.
  2. Create an L3Out external network in ACI that represents the external network connected to the firewall.
  3. Create a border leaf node profile that defines the connection between the ACI fabric and the external network.
  4. Configure the L3Out connection policy that specifies the OSPF routing protocol and filters used to route traffic between the ACI fabric and the external network.
  5. Configure OSPF on the firewall and advertise the subnet associated with the BD as a network that the firewall can reach.
  6. Configure the BD as the default gateway for the external network, either by configuring a static route or through OSPF.

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Cisco ACI through our live Ask the Experts (ATXs) session. Check out the ATXs Resources [https://community.cisco.com/t5/data-center-and-cloud-knowledge/cisco-aci-ask-the-experts-resources/ta-p/4394491] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

View solution in original post

4 Replies 4

Go to solution
naveeku6
Cisco Employee
Cisco Employee

‎04-03-2023 02:45 AM

Hi,

 

I understand that you are trying to do L3 OUT with Firewall without using  L4-L7 graph. Could you please confirm what deployment type you are using?

 

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Cisco ACI through our live Ask the Experts (ATXs) session. Check out the ATXs Resources [https://community.cisco.com/t5/data-center-and-cloud-knowledge/cisco-aci-ask-the-experts-resources/ta-p/4394491] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------
 

0 Helpful

Go to solution
ADC Lane
Level 1
Level 1
In response to naveeku6

‎04-03-2023 05:55 AM - edited ‎04-03-2023 05:56 AM

Hi @naveeku6 , 

Yes, I will use L3OUT and don't use L4-7 graph . L3out will use OSPF and BD as Gateway

It's possible to use the deployment ACI type in production environment ? Pleases help share yours recommendation ! 

Thank you in advance !

0 Helpful

Go to solution
naveeku6
Cisco Employee
Cisco Employee

‎04-04-2023 01:59 AM

Hi,

 

Thanks for your response, This is pretty much possible, please fine below answer.

 

If you are using an ACI L3Out to route traffic to an external network and don't want to use the L4-7 graph for additional services, you can configure OSPF as the routing protocol and use a Bridge Domain (BD) as the gateway for the external network.

To do this, you can follow the below steps:

  1. Create a Bridge Domain (BD) in the ACI fabric and associate it with a VLAN or subnet.
  2. Create an L3Out external network in ACI that represents the external network connected to the firewall.
  3. Create a border leaf node profile that defines the connection between the ACI fabric and the external network.
  4. Configure the L3Out connection policy that specifies the OSPF routing protocol and filters used to route traffic between the ACI fabric and the external network.
  5. Configure OSPF on the firewall and advertise the subnet associated with the BD as a network that the firewall can reach.
  6. Configure the BD as the default gateway for the external network, either by configuring a static route or through OSPF.

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Cisco ACI through our live Ask the Experts (ATXs) session. Check out the ATXs Resources [https://community.cisco.com/t5/data-center-and-cloud-knowledge/cisco-aci-ask-the-experts-resources/ta-p/4394491] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Go to solution
ADC Lane
Level 1
Level 1

‎04-04-2023 02:36 AM

Hi @naveeku6 

I am really appreciate about this. this help me a lot !

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License