Can we deploy cisco ACI for DMZ Zone.

boonsue_pat · ‎12-14-2015

As we known the cisco ACI is nomaly deploy in data center environment. so can we deploy cisco ACI for DMZ Zone for the external user to access the server in DMZ zone. Are there any limitation if we deploy it in DMZ Zone.

Robert Burns · ‎12-14-2015

What you can do is create a separate ACI Tenant for your DMZ resources. All resources within the DMZ tenant would be contained within their own VRF & bridge domain as to keep them isolated from other endpoints - unless you permit access using contracts. The DMZ tenant could even deploy its own dedicated L3-Out for external users. It really depends on your design requirements. ACI is intended for application access, and not really as an edge security device. I would consult your local Cisco SE to review the best design options for your requirements.

Regards,

Robert

boonsue_pat · ‎12-14-2015

Hi Robert,

    Thank you for your suggestion. I would like you to help more in the design, because the existing diagram is very complex and I have to consult with my customer for the possibility to implement it in the existing enveronment.
As you can see in the attachment file.
     1. As There are many zone:
         (10 for DMZ zone; Externet zone; WiFi zone; Internal User zone; Training Center zone; Internet zone; Branch zone; and Network mamagement zone)
         Question: So which zone can be put in the ACI architechture and how can I design for this suitiation?
    2. Question: The server in ACI architechture can be a physical server or it must be in the virtualization environment ?
    3. Question: Which server type suitable for implement ACI architechture such as web server, database server, application server, file transfer server etc, ?

Please would you kindly assist.

Robert Burns · ‎12-15-2015

1. The primary goal of ACI is not to replace all firewalls, but rather help enforce policy and application control. It can do so leveraging multi-tenancy in cases where separate groups might manage different sets of resources or customers. I wouldn't try to rip and replace everything you have in your design with ACI. Remember the goal for ACI is to control & manage applications access. There is still the need for regular firewalls to provide deep packet inspection, VPN services and load balancing features. ACI can manage some of these aspects, but its not a replace-all solution for the data center. Again, without knowing your network & application requirements in detail, I can't recommend what is suitable for ACI to provide. ACI is not a solution you want to drop into your data center without have a firm understanding of your requirements and ACI's capabilities - hence why I strongly suggest enlisting your local account team for a proper design discussion.

2. ACI can manage application policies across both physical & virtual end poitns (VMware, HyperV, OpenStack etc).

3. Any "server type" or server function can be suitable for ACI.

Suggest reviewing the ACI fundamentals Guide to get a base understanding of ACI use cases. Once you fully understand ACI as a solution you'll be able to determine the best application for this solution in your environment

Robert

boonsue_pat · ‎12-15-2015

Hi Robert Burns,

Thank you for your suggestion.

From your answer that "The primary goal of ACI is not to replace all firewalls,There is still the need for regular firewalls to provide deep packet inspection, VPN services and load balancing features."

1. Question: In the ACI Architecture the firewall,VPN,Load balanceing service have to direct connect to leaf, right ?

2. Is ACI Architecture is only suitable for data center zone, or can I use it in another zone like DMZ zone.

Best Regards,

Supattra S,