02-25-2020 01:49 AM - edited 02-25-2020 01:51 AM
Hi,
While east-west traffic using contracts is widely explained through all the documentation, I didn't find clear guidelines to manage north-south traffic control in ACI. All the examples refer to the typical "allow all" contract for L3out in order to let all the outgoing traffic get out the ACI fabric. However, consuming that kind of contract also allows any incoming traffic to the consuming EPG.
For incoming traffic, I would expect the external EPG under the L3out to consume only those contracts provided by the internal EPGs inside the fabric so the rest of the traffic is blocked and, for outgoing traffic, a contract provided by the external EPG that allows ONLY all the outgoing traffic.
What are the best practices in this sense?
thanks.
Solved! Go to Solution.
02-25-2020 02:17 AM
here is the ACI deployment Guide :
ACI default security deny all.
in DC environment, North to south is the default design since all hosting located in south, and user request coming from North.
And most North side FW deployed to protect DC environment.
ACI give additional security and east west side, since that was main draw back i see personally when you designed Flexpod ( you need addional layer of FW,. VG to protect layer2 network) i belive this will over come when you deploy ACI.
02-25-2020 02:13 PM
Hi @Antonio Macia ,
Yes, the way to do is to specify only one filter with Ethertype "IP", which more or less covers everything but ARP.
02-25-2020 02:17 AM
here is the ACI deployment Guide :
ACI default security deny all.
in DC environment, North to south is the default design since all hosting located in south, and user request coming from North.
And most North side FW deployed to protect DC environment.
ACI give additional security and east west side, since that was main draw back i see personally when you designed Flexpod ( you need addional layer of FW,. VG to protect layer2 network) i belive this will over come when you deploy ACI.
02-25-2020 06:23 AM
Hi Balaji,
Following that approach, then a FW in PBR mode would be the best option in my opinion.
In my particular case, the ACI fabric directly connects to the core network routing devices and adding a physical firewall in the middle would break the architecture. However, if I keep the L3out peering with the cores and I add a redirection of the traffic in the L3out contract provided by the external EPG would be a more elegant solution.
According to the documentation, we cannot redirect all the IP traffic because it would break ARP so, should I add multiple subjects per protocol (TCP, UDP, ICMP, etc) and each associated to the L4/L7 service-graph? Is there a better way to do it?
Regards.
02-25-2020 02:13 PM
Hi @Antonio Macia ,
Yes, the way to do is to specify only one filter with Ethertype "IP", which more or less covers everything but ARP.
02-26-2020 12:18 AM
Thanks @Remi-Astruc
03-02-2020 07:50 AM
Appoligies with late reply, since i was re-locating took time to get back to internet.
i agree with @Remi-Astruc here, and it was resolved and helpfull.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide