Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1864
Views
5
Helpful
3
Replies

L3out to Checkpoint Firewall

Go to solution
mohamedelsherif
Level 1
Level 1

‎01-28-2020 04:37 PM

I have a checkpoint firewall connected to Cisco ACI Fabric Border Leafs using a vPC, my objective is to enforce inter-EPG traffic to go through the firewall, is it okay to create subinterfaces from the firewall side, and multiple L3outs with a dedicated VRF assigned to specific subinterfaces "at the firewall side" to enforce the traffic to go through the firewall ? is that a practical solution?  are there any solutions without the need to have l4-l7 service graph?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Remi-Astruc
Cisco Employee
Cisco Employee

‎01-29-2020 02:09 AM - edited ‎01-29-2020 02:11 AM

Hi @mohamedelsherif ,

The solution you describe is not really what we call "Inter-EPG" but more "Inter-VRF" instead. It forces you to split the workloads into different VRFs when you want to FW them. That is very restrictive and not scalable.

You should instead connect the FW into a BD and leverage the Service Graph PBR feature allowing traffic redirection no matter where the EPGs are in the VRF (form a networking perspective). It is way more easy and flexible.

 

Remi Astruc

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Remi-Astruc
Cisco Employee
Cisco Employee

‎01-29-2020 02:09 AM - edited ‎01-29-2020 02:11 AM

Hi @mohamedelsherif ,

The solution you describe is not really what we call "Inter-EPG" but more "Inter-VRF" instead. It forces you to split the workloads into different VRFs when you want to FW them. That is very restrictive and not scalable.

You should instead connect the FW into a BD and leverage the Service Graph PBR feature allowing traffic redirection no matter where the EPGs are in the VRF (form a networking perspective). It is way more easy and flexible.

 

Remi Astruc
0 Helpful

Go to solution
tuanquangnguyen
Level 1
Level 1
In response to Remi-Astruc

‎02-02-2020 07:41 AM - edited ‎02-02-2020 07:41 AM

Adding into Remi's opinion, I also find that it's much more convenient (for implementation and operation) to use either:
- PBR, so that you can control inter-EPG traffic at will (either redirected or not, either bypass or drop at ACI when the PBR node is down)
- EPG static port to the firewall (the network-centric method, 1 EPG = 1 BD = 1 VLAN/subnet). On CheckPoint side, you can configure interfaces/sub-interfaces for each subnet.
The usage of many L3Out to connect to the firewall (called VRF sandwich) is too much of a hassle compared to EPG static port, while not providing the flexibility you have with PBR.

Also, a point worth mentioning - if you're connecting to CheckPoint Active/Standby cluster, make sure to implement Virtual MAC on that side so you can configure PBR policy correctly.

Go to solution
mohamedelsherif
Level 1
Level 1
In response to Remi-Astruc

‎02-03-2020 09:55 PM

I did some initial testing, and it seems that it's a robust and excellent solution, thank you some much remi.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License