Need L4-L7 with ADC

dnoc43 · ‎08-28-2023

Hello All, I'm just curious if there's a way to optimize traffic in the below diagram using service graphs. The design does not use service graphs and uses source NAT translation in the ADC so all traffic returns to the ADC. If we create a chained service graph (FW --> ADC) is that not just creating exactly what is below but just using PBR to send traffic thru firewall? Are there any benefits?

Tarakesh Jetti · ‎09-22-2023

Hi,

Using the service graph, Cisco ACI can redirect traffic between security zones to a firewall or a load balancer, without the need for the firewall or the load balancer to be the default gateway for the servers.

Cisco ACI can selectively send traffic to L4-L7 devices based, for instance, on the protocol and the Layer 4 port. Firewall inspection can be transparently inserted in a Layer 2 domain with almost no modification to existing routing and switching configurations.

Cisco ACI also allows you to increase the capacity of L4-L7 devices by creating a pool of devices to which Cisco ACI can distribute traffic.

You can deploy firewalls and load balancers with Cisco ACI with or without a service graph. To decide whether or not you should use the service graph technology, you need to understand the problem the service graph solves.

The service graph concept is considered an extension to the concept of a contract, so, by default, it operates in the mode of a consumer and provider interface. This model is ideal for inserting firewalls or, more generally, L4-L7 devices between two security zones.

Note: If you need to use a service graph for a firewall with multiple network edges (or DMZs), you will need to reuse the service graph multiple times between each pair of interfaces (or between each security zone and vzAny).

A service graph offers several advantages. Two of the biggest advantages are the capability to redirect traffic and the capability to automate the VLAN allocation between the L4-L7 device (when using virtual appliances) and the fabric.

A service graph offers the following advantages. It:

● Automatically manages VLAN assignments for virtual appliances

● Automatically connects virtual network interface cards (vNICs)

● Provides a more logical, and an application-related, view of services

● Can be configured with a redirect option, which simplifies the network design

Service graph redirect offers many advantages. It does the following:

● Eliminates the need to make firewalls or load balancers the default gateway

● Avoids the need for more complex types of designs, such as a virtual routing and forwarding (VRF) instance–L4-L7-device–VRF design

● Avoids the need to split Layer 2 domains (bridge domains) to insert, for instance, a firewall in the traffic path

● Allows you to redirect a subset of the traffic based on the protocol and port

● Allows you to filter traffic between security zones in the same Layer 2 domain (bridge domain)

● Allows you to scale the performance of the L4-L7 device by distributing traffic to multiple devices

If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Cisco ACI through our live Ask the Experts (ATXs) session. Check out the ATXs Resources [https://community.cisco.com/t5/data-center-and-cloud-knowledge/cisco-aci-ask-the-experts-resources/ta-p/4394491] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.

Thanks and regards,

Tarakesh Jetti - Customer Success Specialist - CX Team.