04-19-2022 09:14 AM
Hi, I am deploying a ACI Multi-site solution and one of the use cases is to connect a firewall in a L4-7 service insertion mode. We will have 2 sites connected via an ISN and managed by the NDO/MSO. Each site is going to have its independent active/standby firewall HA-pair configured in routed mode. The firewall will be in two-arm mode, so there will be in inside interface (BD-service-in) and outside interface (BD-service-out).
Upon reading the Cisco ACI Multi-Site and Service Node Integration White Paper, it says that the service BD(s) must be stretched across sites. This means that the interfaces of the service nodes in different sites must be in the same service BD. Why is this required? Since we are going to have independent HA-pairs in both the DCs with different inside and outside subnets, I dont see a need to extend the service BDs.
Please advise if anyone has done firewall insertion in PBR mode in Multi-Site?
Solved! Go to Solution.
04-20-2022 11:29 PM
The reason for the stretched service BDs is because you will configure only one service graph, and that one will be stretched. It's true, each site will have it's own local PBR node, but the BD is the same for them. Also, the PBR policy (<tenant-name> > Policies > Protocol > L4-L7 Policy-Based Redirect) will perform the lookup into a single BD. Note that if different subnets are used for each service node, then you will simply configure two subnets under the service BD.
Hope it helps,
Sergiu
04-20-2022 11:29 PM
The reason for the stretched service BDs is because you will configure only one service graph, and that one will be stretched. It's true, each site will have it's own local PBR node, but the BD is the same for them. Also, the PBR policy (<tenant-name> > Policies > Protocol > L4-L7 Policy-Based Redirect) will perform the lookup into a single BD. Note that if different subnets are used for each service node, then you will simply configure two subnets under the service BD.
Hope it helps,
Sergiu
04-21-2022 09:13 AM - edited 04-21-2022 09:22 AM
Thnx Sergiu,
So just to confirm:
Service-BD-IN will have 2 x subnets in it. Site1-pbr-node-inside-subnet and Site2-pbr-node-inside-subnet.
Service-BD-OUT will have 2 x subnets in it. Site1-pbr-node-outside-subnet and Site2-pbr-node-outside-subnet.
Both these BDs will be stretched.
From the FW/ pbr-node prospective, it will have static routes. Default-route going to the outside-subnet and RFC-1918s to inside-subnet.
Deal ?
04-21-2022 10:26 AM
Yes, Yes and Yes. ^_^
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide