cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
993
Views
2
Helpful
2
Replies

ACI Multisite Stretched Objects

prince34
Level 1
Level 1

Hi,

I am new to ACI and I would like to know few the things on ACI multi-site.

  1. Does the Tenant and VRFs need to be stretched for BD or EPG to be stretched?
  2. If the BD/EPG are not stretched (Tenant/VRF are stretched), Can I configure the same EPG/BD names in multiple sites? Whether this will cause any issues in inter-site contract?
  3. Is the service graph possible for the attached diagram. When the source EPG (initiates the traffic) is in site-1, it has to go through Site-1 Firewall, including return traffic. When the source EPG is site-2,  it has to go through Site-2 Firewall?
    1. Firewall is for East-west traffic and in one-arm mode
  4. Can a L3out with 0.0.0.0/0 be a source EPG in a service graph(PBR)?

Thank you in advance.

2 Replies 2

Robert Burns
Cisco Employee
Cisco Employee

1.   ACI Objects have relateiond.  Tenant (parent) < VRF (child) < BD (association) < EPG (child).  If you want a single EPG to be stretched, the corresponding VRF, BD and Tenant also need to be stretched.  You can however have the same or different BD subnet applied to the same EPG stretched across sites.

2. If you opt not to stretch the BD/EPG, not a problem, but these are treated then as separate security objects and would require contracts to allow communication between site-local only EPGs. 

3.  Yes no problem with this approach.  Depending whether your FW is acting as the GW for the subnets, or instread connecting via an L3out, you have the option to use PBR and/or Host Routes to keep traffic local to the origin site. 

4. Where is the FW located?  Within the fabric acting as a GW for a subnet, or externally connected via L3out?  

FWs can't be clustered across sites (at least it comes with some heavy caveats and not recommended).  Best approach is for independent FWs in each site.  Using PBR you can treat the FWs as the same entity which will keep the traffic local to the FW, but also allow cross site access in the event of a failure (would cause hairpinning of traffic in this case...).

Robert 

prince34
Level 1
Level 1

Thank you Robert, for the clarifications.

For question no 4: The Gateways for the application is ACI BD. L3out is formed with a separate firewall for North-south traffic. Independent firewalls are deployed in Active/Standby per site. 

 

One last question

If PBR is applied between Two EPGs (for example: WEB-EPG in Site-1 & APP-EPG in Site-2, Subnets are unique in each site), does ACI create shadow EPGs or only the PBR is applied to the ingress leaf?

 

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License