Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1022
Views
0
Helpful
3
Replies

Bridge Domain for a L4-L7 device in ACI Multi-Site

Go to solution
SandevChopra07800
Level 1
Level 1

‎04-19-2022 09:14 AM

Hi, I am deploying a ACI Multi-site solution and one of the use cases is to connect a firewall in a L4-7 service insertion mode. We will have 2 sites connected via an ISN and managed by the NDO/MSO. Each site is going to have its independent active/standby firewall HA-pair configured in routed mode. The firewall will be in two-arm mode, so there will be in inside interface (BD-service-in) and outside interface (BD-service-out). 

 

Upon reading the Cisco ACI Multi-Site and Service Node Integration White Paper, it says that the service BD(s) must be stretched across sites. This means that the interfaces of the service nodes in different sites must be in the same service BD. Why is this required? Since we are going to have independent HA-pairs in both the DCs with different inside and outside subnets, I dont see a need to extend the service BDs. 

Please advise if anyone has done firewall insertion in PBR mode in Multi-Site? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎04-20-2022 11:29 PM

Hi @SandevChopra07800 

The reason for the stretched service BDs is because you will configure only one service graph, and that one will be stretched. It's true, each site will have it's own local PBR node, but the BD is the same for them. Also, the PBR policy (<tenant-name> > Policies > Protocol > L4-L7 Policy-Based Redirect) will perform the lookup into a single BD. Note that if different subnets are used for each service node, then you will simply configure two subnets under the service BD.

 

Hope it helps,

Sergiu

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎04-20-2022 11:29 PM

Hi @SandevChopra07800 

The reason for the stretched service BDs is because you will configure only one service graph, and that one will be stretched. It's true, each site will have it's own local PBR node, but the BD is the same for them. Also, the PBR policy (<tenant-name> > Policies > Protocol > L4-L7 Policy-Based Redirect) will perform the lookup into a single BD. Note that if different subnets are used for each service node, then you will simply configure two subnets under the service BD.

 

Hope it helps,

Sergiu

 

0 Helpful

Go to solution
SandevChopra07800
Level 1
Level 1
In response to Sergiu.Daniluk

‎04-21-2022 09:13 AM - edited ‎04-21-2022 09:22 AM

Thnx Sergiu,

So just to confirm:

Service-BD-IN will have 2 x subnets in it. Site1-pbr-node-inside-subnet and Site2-pbr-node-inside-subnet.

Service-BD-OUT will have 2 x subnets in it. Site1-pbr-node-outside-subnet and Site2-pbr-node-outside-subnet.  

 

Both these BDs will be stretched.

From the FW/ pbr-node prospective, it will have static routes. Default-route going to the outside-subnet and RFC-1918s to inside-subnet.

Deal ?         

0 Helpful

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni
In response to SandevChopra07800

‎04-21-2022 10:26 AM

Yes, Yes and Yes. ^_^

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License