Segmentation When All EPGs are in Preferred Group

mannytavarez · ‎06-01-2024

Not sure what the best approach here is so I am asking for recommendations. Customer has ALL EPGs configured in “Preferred Group” status but has an OS\Application server that meeds segmentation and also wants L7 visibility. I think the best approach here is to segment the EPG where this server lives with a firewall and use the firewall as the L3 for this EPG. I know I can build a bunch of contracts to segment the traffic but with every EPG being having “Preferred Group” enabled I don’t see how to segment L3 EPG traffic at the IP level and also provide the visibility at layer 7. I want to build something scalable and easy to manage. Thanks

Remi-Astruc · ‎06-03-2024

Hi @mannytavarez ,

You have to disable Preferred Group for that Server EPG so it is out of the Group, then you can use vzAny <> Server EPG contracts. If you need L7 control, a FW can be inserted using Service Graph PBR in that contract. No need to have FW as server gateway.

Regards

Remi Astruc

mannytavarez · ‎06-06-2024

Thanks for your response. Do you see this as a scalable solution? Reasons I ask:

There will be a need to allow UDP\TCP protocols connections from a handful of systems and users but we still need to prevent the rest of the organization from reaching the server on the same UDP\TCP ports.

Remi-Astruc · ‎06-06-2024

In case of native ACI contracts, it depends how you will organize the source EPGs or L3Out External EPGs to match your granularity needs. Hard to tell but it is likely you will not hit the limits.

In case of PBR redirection of the Server EPG to a Firewall, it will be as scalable as the Firewall is...

Remi Astruc