04-10-2019 09:02 AM
Hi,
Let's say we have an ASAv inserted on a Sevice graph in routed mode, currently allowing HTTP bettwen two EPGs App and Web.
What changes i have to apply to add another protocol (HTTPS) between the two EPGs. Do i have to modify the existing contract and add an ACL to the ASA?
Leo
Solved! Go to Solution.
04-10-2019 01:34 PM
Hi Leo,
Basically, the answer to your question is Yes.
But you may have to think about your contracts design.
It seems that you perform the protocol security control in the ACI contract and in the FW. Unless you have very strict governance reason to do it, that leads to operational headache, error-prone changes, and scalability limitations.
You'd better allow all IP traffic in your contract filter and manage protocol security in the FW.
If you need a flow not to be FWed, you can always add a more specific contract without Service Graph.
Remi Astruc
04-10-2019 01:34 PM
Hi Leo,
Basically, the answer to your question is Yes.
But you may have to think about your contracts design.
It seems that you perform the protocol security control in the ACI contract and in the FW. Unless you have very strict governance reason to do it, that leads to operational headache, error-prone changes, and scalability limitations.
You'd better allow all IP traffic in your contract filter and manage protocol security in the FW.
If you need a flow not to be FWed, you can always add a more specific contract without Service Graph.
Remi Astruc
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide