Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2543
Views
5
Helpful
1
Replies

ACI firewall design options with multiple VRFs (VRF sandwich vs. service graphs)

Go to solution
Johannes Luther
Level 4
Level 4

‎09-04-2019 02:05 AM

Hi ACI experts,

let's assume a pretty simple DC design. There are multiple VRFs and communication between those VRFs must pass a firewall.

From my point of view there are two alternatives:

  • Traditional networking / VRF sandwich: Firewall has a transit network per VRF (l3out per VRF)
  • PBR using Service Graphs: Decide per EPG / contract if traffic must pass FW

I think this whitepaper explains it very good: https://www.cisco.com/c/en/us/solutions/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.html

I guess from a configuration complexity and flexibility standpoint, PBR/Service-Graphs are pretty awesome.

 

However (and now for the question), if you have IPv4 Multicast routing requirements, you are stuck to traditional networking, right? So as soon as you have Multicast routing, you cannot:

  • Use PBR/Service graphs, because those are only valid for unicast traffic
  • Route leak / build contracts between different VRFs, because those are only valid for unicast traffic
  • Build a shared l3out in another VRF (and for example in the common tenant), because it will not work for Multicast traffic

are my findings correct or is it toal nonsense?

 

Thanks!

Best regards

Johannes

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
micgarc2
Cisco Employee
Cisco Employee

‎09-05-2019 08:39 PM

Correct, multicast and broadcast traffic redirection are not supported because the contract is applied to unicast traffic only. If you need route leaking you can do shared l3 out for N-S traffic and inter-VRF route leaking for E-W traffic. If the requirement is that all traffic must be inspected by the FW your best bet is probably just to have multiple L3 outs per VRF and let the FW do the VRF stitching.

View solution in original post

1 Reply 1

Go to solution
micgarc2
Cisco Employee
Cisco Employee

‎09-05-2019 08:39 PM

Correct, multicast and broadcast traffic redirection are not supported because the contract is applied to unicast traffic only. If you need route leaking you can do shared l3 out for N-S traffic and inter-VRF route leaking for E-W traffic. If the requirement is that all traffic must be inspected by the FW your best bet is probably just to have multiple L3 outs per VRF and let the FW do the VRF stitching.

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License