Re: L4-L7 Service graph insertion

IslamOmar · ‎11-24-2019

Hello All ,

I have a setup where two Firewalls will be installed within the fabric as a cluster . Service graph with unmanaged mode will be used .

The N-S will have service graph and E-W will have service graph as planned to be implemented , is this doable or not .

considering that these FW's will be connected to services leafs and broder leafs will have anohter L3-Out connection outside the fabric .

micgarc2 · ‎11-24-2019

Yes this will work fine.

6askorobogatov · ‎11-25-2019

In general, you can create your L4-L7 device (with 2 devices as a cluster with 2 interfaces or one-arm ) and use it as a L4-L7 service graph in multiple subjects in multiple contacts, assuming you have contracts/subjects between you E-W EPGs and EPGs and Net-EPG in L3OUT for Internet access. However you need to be careful how you using contact subjects and FW rules. If you are limiting your source/destination protocol/ports in contract and using FW for inspection only, you are OK. If you allow wide range of ports (or IP) in contact and using ACL in FW, it will be more complex.

ralphcarter · ‎11-28-2019

I have deployed this exact configuration here:

https://youtu.be/ryNmeVFYpF0

CCIE 26175
www.techsnips.com