11-04-2023 09:30 AM - edited 11-04-2023 10:49 AM
Hi,
I am new to ACI and I would like to know few the things on ACI multi-site.
Thank you in advance.
11-05-2023 07:31 AM
1. ACI Objects have relateiond. Tenant (parent) < VRF (child) < BD (association) < EPG (child). If you want a single EPG to be stretched, the corresponding VRF, BD and Tenant also need to be stretched. You can however have the same or different BD subnet applied to the same EPG stretched across sites.
2. If you opt not to stretch the BD/EPG, not a problem, but these are treated then as separate security objects and would require contracts to allow communication between site-local only EPGs.
3. Yes no problem with this approach. Depending whether your FW is acting as the GW for the subnets, or instread connecting via an L3out, you have the option to use PBR and/or Host Routes to keep traffic local to the origin site.
4. Where is the FW located? Within the fabric acting as a GW for a subnet, or externally connected via L3out?
FWs can't be clustered across sites (at least it comes with some heavy caveats and not recommended). Best approach is for independent FWs in each site. Using PBR you can treat the FWs as the same entity which will keep the traffic local to the FW, but also allow cross site access in the event of a failure (would cause hairpinning of traffic in this case...).
Robert
11-10-2023 11:48 PM
Thank you Robert, for the clarifications.
For question no 4: The Gateways for the application is ACI BD. L3out is formed with a separate firewall for North-south traffic. Independent firewalls are deployed in Active/Standby per site.
One last question
If PBR is applied between Two EPGs (for example: WEB-EPG in Site-1 & APP-EPG in Site-2, Subnets are unique in each site), does ACI create shadow EPGs or only the PBR is applied to the ingress leaf?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide