06-01-2024 08:54 AM
Not sure what the best approach here is so I am asking for recommendations. Customer has ALL EPGs configured in “Preferred Group” status but has an OS\Application server that meeds segmentation and also wants L7 visibility. I think the best approach here is to segment the EPG where this server lives with a firewall and use the firewall as the L3 for this EPG. I know I can build a bunch of contracts to segment the traffic but with every EPG being having “Preferred Group” enabled I don’t see how to segment L3 EPG traffic at the IP level and also provide the visibility at layer 7. I want to build something scalable and easy to manage. Thanks
06-03-2024 12:03 AM
Hi @mannytavarez ,
You have to disable Preferred Group for that Server EPG so it is out of the Group, then you can use vzAny <> Server EPG contracts. If you need L7 control, a FW can be inserted using Service Graph PBR in that contract. No need to have FW as server gateway.
Regards
06-06-2024 06:57 AM - edited 06-06-2024 06:58 AM
Thanks for your response. Do you see this as a scalable solution? Reasons I ask:
There will be a need to allow UDP\TCP protocols connections from a handful of systems and users but we still need to prevent the rest of the organization from reaching the server on the same UDP\TCP ports.
06-06-2024 07:39 AM
In case of native ACI contracts, it depends how you will organize the source EPGs or L3Out External EPGs to match your granularity needs. Hard to tell but it is likely you will not hit the limits.
In case of PBR redirection of the Server EPG to a Firewall, it will be as scalable as the Firewall is...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide