09-04-2019 02:05 AM
Hi ACI experts,
let's assume a pretty simple DC design. There are multiple VRFs and communication between those VRFs must pass a firewall.
From my point of view there are two alternatives:
I think this whitepaper explains it very good: https://www.cisco.com/c/en/us/solutions/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.html
I guess from a configuration complexity and flexibility standpoint, PBR/Service-Graphs are pretty awesome.
However (and now for the question), if you have IPv4 Multicast routing requirements, you are stuck to traditional networking, right? So as soon as you have Multicast routing, you cannot:
are my findings correct or is it toal nonsense?
Thanks!
Best regards
Johannes
Solved! Go to Solution.
09-05-2019 08:39 PM
Correct, multicast and broadcast traffic redirection are not supported because the contract is applied to unicast traffic only. If you need route leaking you can do shared l3 out for N-S traffic and inter-VRF route leaking for E-W traffic. If the requirement is that all traffic must be inspected by the FW your best bet is probably just to have multiple L3 outs per VRF and let the FW do the VRF stitching.
09-05-2019 08:39 PM
Correct, multicast and broadcast traffic redirection are not supported because the contract is applied to unicast traffic only. If you need route leaking you can do shared l3 out for N-S traffic and inter-VRF route leaking for E-W traffic. If the requirement is that all traffic must be inspected by the FW your best bet is probably just to have multiple L3 outs per VRF and let the FW do the VRF stitching.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide