Microsegmentation contract inheritance

neroshake · ‎08-08-2021

Hello Team,

I am trying to figure out Microsegmenting our current network-centric deployment (see the picture below). Currently we have:
* Enterprise networks 10.0.0.0/16 which are connected to Fortigate firewall (L3)
* This FOrtigate firewall is a L3OUT connection from ACI fabric (the only exit point from ACI fabric). All traffic from enterprise network entering to /exiting from ACI fabric is being inspected here.
* Two EPGs within ACI fabric each with its own BD (EPG SRV_EPG and TRM_EPG)
* For traffic flow between ENterprise network and these EPGs we are using two separate contracts each applied to L3OUT accordingly (see the picture). This allows all traffic entering these EPGs from enterprise network and exiting there.
* For traffic flow between these two EPGs inside fabric we utilize One-Arm PBR to Palo-ALto and this Service Graph is being deployed two instances - one for traffic from SRV_EPG to TRM_EPG and other for traffic from TRM_EPG to SRV_EPG

So far everything works fine. I dont have any microsegments yet. Now Within each of these fabric EPGs I want to create few uSEGs to limit communication between EPs within these Base EPGs but change nothing in regards traffic flow between these Main/Base EPGs via PBR and out via L3OUT.

My question is - if I create uSegs within each of Base EPGs will each uSeg inherit contracts from its Base EPG so I dont need to create additional L3 out contracts and PBR ServiceGRaph instances/contracts for each of these uSegs? And what is the best practices/recommendations in such a case?

Thank you!

Nero

Robert Burns · ‎08-09-2021

Nero,

When an endpoint gets re-classified from it's parent base EPG into a uSeg EPG, the original contracts no longer apply. You have two options. Either apply the same contracts between uSeg EPGs and L3Outs, or configure contract inheritance on the uSeg EPG from the Base EPG. If you use contract inheritance, ALL the contracts from the base EPG get applied onto the uSeg EPG. If this is not ideal, just selectively apply the desired contracts to the uSeg EPGs individually.

Curious why are you using two separate uni-direction contacts rather than a single bi-directional?

Robert

neroshake · ‎08-10-2021

Hi Robert,

Thanks for the answer!

1. Re contract inheritance - I wonder how it will inherit contracts with L4-L7 Service Graph with PBR? Currently I manually deploying new service graph instance for each contract manually mentioning source and destination EPGs. Will this be done automatically or each uSeg?

2. The logic behind using two separate unidirectional contracts (I assume u mean L3_OUT_IN_CNT and L3_OUT_OUT_CNT contracts) is the following: If I use a single contract instead and have it both consumed and provided for both SRV_EPG and TRM_EPG then I will end up with SRV_EPG and TRM_EPG freely talking each to other (both contracts are simply permit any any). In order to avoid that I am using these two separate contracts and in this way I am allowing both SRV_EPG and TRM_EPG to freely talk just with external Fortigate and do not talk each with other. IF there is any other way to achieve the same will be very thankful if you can share.

Thanks!

Nero

Robert Burns · ‎08-10-2021

For the Service Graph, it's referenced by the Contract (Subject), so if you inherit it, all should be applied to the uSeg EPG. I haven't tested inheritance, so I'm speaking from how it should work in theory. Would need to test this, but should work fine.

For the Contracts, yes there's an easier way for the L3out contracts using a single BiDir contract.

SRV_EPG (consumer) <===> L3_out_Cnt <===> (providers) L3Out_EPG

TRM_EPG (consumer) <===> L3_out_Cnt <===> (providers) L3Out_EPG

Since both SRV_EPG & TRM_EPG are both on the consumer end, they will not be able to communicate between each other. Only the L3Out_EPG. EPGs should never should consume & provide the same contract. It's poor design.

Robert