cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1747
Views
10
Helpful
5
Replies

North-South traffic control in application centric

Antonio Macia
Level 3
Level 3

Hi,

 

While east-west traffic using contracts is widely explained through all the documentation, I didn't find clear guidelines to manage north-south traffic control in ACI. All the examples refer to the typical "allow all" contract for L3out in order to let all the outgoing traffic get out the ACI fabric. However, consuming that kind of contract also allows any incoming traffic to the consuming EPG.

For incoming traffic, I would expect the external EPG under the L3out to consume only those contracts provided by the internal EPGs inside the fabric so the rest of the traffic is blocked and, for outgoing traffic, a contract provided by the external EPG that allows ONLY all the outgoing traffic.

What are the best practices in this sense?

 

thanks.

 

 

2 Accepted Solutions

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

here is the ACI deployment Guide :

 

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-737909.html

 

ACI default security deny all.

 

in DC environment, North to south is the default design since all hosting located in south, and user request coming from North.

 

And most North side FW deployed to protect DC environment.

 

ACI give additional security and east west side, since that was main draw back i see personally when you designed Flexpod ( you need addional layer of FW,. VG to protect layer2 network) i belive this will over come when you deploy ACI.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Hi @Antonio Macia ,

Yes, the way to do is to specify only one filter with Ethertype "IP", which more or less covers everything but ARP.

Remi Astruc

View solution in original post

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

here is the ACI deployment Guide :

 

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-737909.html

 

ACI default security deny all.

 

in DC environment, North to south is the default design since all hosting located in south, and user request coming from North.

 

And most North side FW deployed to protect DC environment.

 

ACI give additional security and east west side, since that was main draw back i see personally when you designed Flexpod ( you need addional layer of FW,. VG to protect layer2 network) i belive this will over come when you deploy ACI.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi Balaji,

 

Following that approach, then a FW in PBR mode would be the best option in my opinion.

In my particular case, the ACI fabric directly connects to the core network routing devices and adding a physical firewall in the middle would break the architecture. However, if I keep the L3out peering with the cores and I add a redirection of the traffic in the L3out contract provided by the external EPG would be a more elegant solution.

 

According to the documentation, we cannot redirect all the IP traffic because it would break ARP so, should I add multiple subjects per protocol (TCP, UDP, ICMP, etc) and each associated to the L4/L7 service-graph? Is there a better way to do it?

 

Regards.

 

Hi @Antonio Macia ,

Yes, the way to do is to specify only one filter with Ethertype "IP", which more or less covers everything but ARP.

Remi Astruc

Thanks @Remi-Astruc 

Appoligies with late reply, since i was re-locating took time to get back to internet.

 

i agree with @Remi-Astruc  here, and it was resolved and helpfull.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License