BD config while default GW is defined in external FW

Thushan Pramod · ‎05-30-2017

Hi,

In ACI fabric, default GW is defined in external FW, so what will the configuration be like in BD. Do we need to configure IP subnet in BD in such scenarios.

Jason Williams · ‎05-30-2017

Thushan,

There is not enough information provided in your post for the support community to give a good answer.

If the GW is on the external FW, then will the endpoints need to talk to other endpoints which belong in other EPG/BDs?

Example:

Host-1 :: EPG-A :: BD-A

Host-2 :: EPG-A :: BD-A

Host-3 :: EPG-B :: BD-B

Host-1 and Host-2 default gateway = external firewall

A) Do you have a scenario where Host-1 or Host-2 will need to communicate with Host-3?

or

B) Does Host-1 and Host-2 only need to talk to each other? No need for those 2 to communicate with Host-3.

If this falls into scenario A, then what is the gateway for Host-3? On ACI or on external firewall/router?

Jason

Thushan Pramod · ‎05-30-2017

Hi Jason,

what I want to know is, when we configure BD is it necessary to configure subnet?

In the default gateway field what will I configure

let's say default GW is 192.168.1.1 for EP-A in EPGA but the default GW should be defined in FW.

when all the default gws are defined in external FW what will be the config at BD will look like? (subnet and default GW perspective)

Jason Williams · ‎05-30-2017

If the gateway is outside of the fabric, then best practice is to disable unicast routing on the BD and do not create a subnet on the BD.

Keep in mind that firewall will need to do all routing. If you need to communicate with other endpoints, then the firewall will need to route the traffic from BD to BD.

I would recommend taking a look at the L4-L7 deployment guide. There are pieces in there which cover BD tuning when passing traffic to a Go-To (routed) firewall.

http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-734298.html#_Toc456397486

Jason