Solved: Migration to ACI Real World Example

newmanf · ‎04-17-2019

Hello,

I am looking for advice regarding ACI implementation in brownfield environment. Existing data center is build around Nexus3k switches, and vPC based fabric. Most of server vlans at layer 3 are terminated of FortiGate firewall. There are around 100 vlans, about 50 vlans default gateway is on FortiGate, so Nexus3k switches process those vlans only on Layer 2. Other 50 vlans default gateway is on Nexus3k switches HSRP, which then routes them to network Core throughout same FortiGate. Goal of project is to migrate from Nexus3k hardware to new ACI. Workload are spread across vlans, and communication path beween workloads are chaotic. All security policies are already done on FortiGate firewall. And I dont want to touch them.

Considering current data center design and vlan/subnet termination on FortiGate, what will be optimal path to ACI migration ?

First i would start in Network Centric deployment, EPG=DB=Vlan/Subnet. I am considering leaving existing 50 vlan on FortiGate. Should I do integration with FortiGate and Service Graph there ? Or it will be just introduction complexity ?

Thanks in advance,

Newman

RedNectar · ‎04-20-2019

Hi Newman,

Let's start with your last questions first:

First i would start in Network Centric deployment, EPG=DB=Vlan/Subnet.

Good start - see below for my take on this.

I am considering leaving existing 50 vlan on FortiGate.

Good Plan.

Should I do integration with FortiGate and Service Graph there ?

No

Or it will be just introduction complexity ?

Yes

And finally your other question:

Considering current data center design and vlan/subnet termination on FortiGate, what will be optimal path to ACI migration ?

The simplest approach is pretty much as you describe. This is what I would suggest.

For the 50 VLANs using HSRP default gateway migrating to ACI, think about what policies you want. In particular, do you have any subnets that share EXACTLY the same policy in regards to communication with certain other subnets, and with the Firewall? (I'd presume that there would be unrestricted communication between these subnets and the firewall). If you can identify two or more subnets that share EXACTLY the same policy - you have just defined an End Point Group.

Create a Bridge Domain for this collection of subnets and assign as many default gateway IPs as you need to that BD. You may even be able to consolidate consecutive subnets if you wish to reduce the number of IPs you need to assign.
Create an EPG for this collection of subnets.
Map each VLAN encapsulation to the EPG. [The simplest way to do this is to look at the AAEP that lives in the Access Policy Chain that contains the physical ports where this traffic arrives, and add EPGs to the AAEP. See my recent answer to ACI Basic Config help]

Repeat until all 50 subnets have been assigned to a BD/EPG

[If it turns out that all (or nearly all) 50 VLANs have unrestricted communication you MAY wish to split your collection into say 5-10 BD/EPGs (or even 50 if you like the work) and use the Preferred Group member option for these EPGs - if you do, don't forget to enable the Preferred Group in the vzAny EPG (under the VRF)]

The 50 VLANs using the Firewall as a default gateway are slightly different to the Application EPGs because you will configure them as Layer 2 entities, which means the rules regarding broadcast propogation are the same as in a traditional Layer 2 environment. So:

Create a BD/EPG pair for each of these firwall terminated VLANs, but DO NOT assign any default Gatway IPs. This makes these EPGs Layer 2 DB/EPGs
- Note: By making these Layer 2 EPGs you will not see any IP information for the endpoints in these EPGs
Map each of the 50 VLANs to their appropriate EPG (via the AAEP is easiest)
- Make sure the trunk interface that connects to the firewall is included in the Access Policy Chain for this AAEP

That's the basic plan, but there is still one more problem - you need to provide communication between your ACI Layer 3 EPGs (the ones with IP addresses in ACI). To do that, the cleanest approach is to create a L3Out between ACI and the Firewall and configure routing (static routes or use your favourite routing protocol).

I hope this gives you enough of a skeleton to work from.

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

RedNectar · ‎04-20-2019

Hi Newman,

Let's start with your last questions first:

First i would start in Network Centric deployment, EPG=DB=Vlan/Subnet.

Good start - see below for my take on this.

I am considering leaving existing 50 vlan on FortiGate.

Good Plan.

Should I do integration with FortiGate and Service Graph there ?

No

Or it will be just introduction complexity ?

Yes

And finally your other question:

Considering current data center design and vlan/subnet termination on FortiGate, what will be optimal path to ACI migration ?

The simplest approach is pretty much as you describe. This is what I would suggest.

For the 50 VLANs using HSRP default gateway migrating to ACI, think about what policies you want. In particular, do you have any subnets that share EXACTLY the same policy in regards to communication with certain other subnets, and with the Firewall? (I'd presume that there would be unrestricted communication between these subnets and the firewall). If you can identify two or more subnets that share EXACTLY the same policy - you have just defined an End Point Group.

Create a Bridge Domain for this collection of subnets and assign as many default gateway IPs as you need to that BD. You may even be able to consolidate consecutive subnets if you wish to reduce the number of IPs you need to assign.
Create an EPG for this collection of subnets.
Map each VLAN encapsulation to the EPG. [The simplest way to do this is to look at the AAEP that lives in the Access Policy Chain that contains the physical ports where this traffic arrives, and add EPGs to the AAEP. See my recent answer to ACI Basic Config help]

Repeat until all 50 subnets have been assigned to a BD/EPG

[If it turns out that all (or nearly all) 50 VLANs have unrestricted communication you MAY wish to split your collection into say 5-10 BD/EPGs (or even 50 if you like the work) and use the Preferred Group member option for these EPGs - if you do, don't forget to enable the Preferred Group in the vzAny EPG (under the VRF)]

The 50 VLANs using the Firewall as a default gateway are slightly different to the Application EPGs because you will configure them as Layer 2 entities, which means the rules regarding broadcast propogation are the same as in a traditional Layer 2 environment. So:

Create a BD/EPG pair for each of these firwall terminated VLANs, but DO NOT assign any default Gatway IPs. This makes these EPGs Layer 2 DB/EPGs
- Note: By making these Layer 2 EPGs you will not see any IP information for the endpoints in these EPGs
Map each of the 50 VLANs to their appropriate EPG (via the AAEP is easiest)
- Make sure the trunk interface that connects to the firewall is included in the Access Policy Chain for this AAEP

That's the basic plan, but there is still one more problem - you need to provide communication between your ACI Layer 3 EPGs (the ones with IP addresses in ACI). To do that, the cleanest approach is to create a L3Out between ACI and the Firewall and configure routing (static routes or use your favourite routing protocol).

I hope this gives you enough of a skeleton to work from.

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.