Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2763
Views
0
Helpful
1
Replies

L2Out Best Practices for DMZ

Go to solution
eric.ahernandez
Level 1
Level 1

‎05-07-2019 09:08 PM

Hi all,

 

We're currently working on a design for a migration from NX-OS environment to ACI, and I have a question regarding what's best when doing the L2 connectivity to a DMZ Block, since we will have several DMZ Servers going through the ACI Fabric to a couple of switches connected to Firewalls (Firewalls being the default gateway of the DMZ Servers), I attached a diagram.

 

As I understand there are a couple of options for doing this. One being extending the EPG out of the ACI fabric, and the other is extending the bridge domain with a L2Out, each one with different considerantions, the main one being that using L2Out needs an external EPG and needs a contract, and also they do different things with Spanning-Tree.

http://binaryroute.net/my-2-cents-about-aci-l2out-its-basics-caveats-and-considerations/

 

So I was wondering... In DMZ scenarios is it best practice to use a L2Out and using contracts for security purposes, contrary to extending the EPG? Or is it more of a personal preference kind of thing.

 

I haven't found any documentation about this so I was wondering if anyone can enlighten me about this topic.

 

 

 

Labels:
DMZDesignHL.png
Preview file
131 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Remi Astruc
Level 1
Level 1

‎05-07-2019 11:55 PM

Hello Eric,

As you want to transpose your existing DMZ concept onto ACI, the EPG Extension across you servers and FWs is definately the preferred one (following the BD config guidelines in case of L2 BD).

L2Out can be useful when you want to segregate inside the BD, but then you need to manage different EPGs for FW, manage an additional Vlan Pool, apply contracts to allow servers to reach their gateway... It changes your legacy security concept and adds a lot of operational constraints.

Some details in that document:

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c07-732033.html#_Toc395143570

 

Remi Astruc

 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Remi Astruc
Level 1
Level 1

‎05-07-2019 11:55 PM

Hello Eric,

As you want to transpose your existing DMZ concept onto ACI, the EPG Extension across you servers and FWs is definately the preferred one (following the BD config guidelines in case of L2 BD).

L2Out can be useful when you want to segregate inside the BD, but then you need to manage different EPGs for FW, manage an additional Vlan Pool, apply contracts to allow servers to reach their gateway... It changes your legacy security concept and adds a lot of operational constraints.

Some details in that document:

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c07-732033.html#_Toc395143570

 

Remi Astruc

 

0 Helpful

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License

Top