Layer 2 device insertion

dodgerfan78 · ‎08-19-2016

Hi, is it possible to do put a layer 2 device such as a transparent FW in between 2 EPGs? I am trying it but unable to get it to work. It could be my VM that is acting as L2-FW however.

webvm----webepg----eth0[FW]eth1----appepg----appvm

My ARP packets from webvm never get to the appvm.

Is this possible? Has anyone done this? I set all the BD options to Flood where possible.

Thanks,

Bryan

Nik Noltenius · ‎08-22-2016

Hi Brian,

I doubt my ability to help but out of curiosity: How are you trying to achieve that right now?

Correct me if I'm wrong but I understand that you have two EPGs webepg and appepg. You have a VM with it's vnic attached to the webepg port-group and a VM with it's vnic attached to the appepg port-group. Now you also have a FW-VM which has interfaces both in the one and in the other port-group and that is configured to transparently bridge between those two interfaces.

So far, so good. Now wouldn't you need a contract between webepg and appepg and if so wouldn't that automatically lead to all allowed traffic going back and forth directly without ever hitting the FW-VM?

I don't understand how you force traffic to go through the FW. If I get that obstacle out of the way I could try to recreate your setup in our lab and maybe figure something out.

Regards,

Nik

dodgerfan78 · ‎08-22-2016

Hi Nik,

It should work with out contracts because the traffic is stitched between the two epgs by the firewall, not directly by the fabric. The web-vm will arp for the app-vm mac address. The arp will hit the FW, get bridged to the app-epg and hit the app-vm. The app-vm response will hit the app-epg interface of the fw and get bridged back to the web-epg where the web-vm will hear it. Then unicast flow can continue (I think).

-Bryan

Jason Williams · ‎08-23-2016

The ACI configuration would depend upon your network design.

1. Is the WebVM (EPG) and AppVM (EPG) in the same subnet?

2. Is there a bridge between FW Eth0 and Eth1?

If the answer is yes to both of these questions then you would need to configure 2 bridge domains. 1 for inside and 1 for outside.

BD-1 configuration:

Unicast routing = disabled

Unknown unicast = flood

BD-2 configuration:

Unicast routing = disabled

Unknown unicast = flood

BD-1 (inside) should contain WebVM and FW-Eth0

BD-2 (outside) should contain AppVM and FW-Eth1

If you were to place everything into the same BD, then you would see MAC flap issues. ACI would learn WebVM MAC between the WebVM and FW-Eth1. Same goes for AppVM MAC being learned on AppVM and FW-Eth0.

Splitting the inside and outside into 2 BDs would create separate L2 domains (MAC address tables). ACI will still learn the WebVM MAC address on WebVM and FW-Eth1, but two different MAC tables. Same applies to the AppVM MAC.

I would advise looking into Service Graph Design White Paper. Although you're probably not integrating service graphs, this guide still contains useful information about L2/L3 configurations for inserting firewalls.

Service Graph Design with Cisco Application Centric Infrastructure White Paper