Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
293
Views
0
Helpful
1
Replies

Service Graph Deployment Choice for NS FW deployment

vfe
Level 1
Level 1

‎10-16-2023 07:30 AM

If you want your firewall to inspect traffic flowing through it but also receive traffic directed at it, what would be the preferred deployment choice. Could i use PBR and also receive traffic destined to the Firewall? Thanks

Labels:
0 Helpful
1 Reply 1

Tarakesh Jetti
Cisco Employee
Cisco Employee

‎11-01-2023 10:11 PM

Hi,

 

Using the service graph, Cisco ACI can redirect traffic between security zones to a firewall or a load balancer, without the need for the firewall or the load balancer to be the default gateway for the servers. 

Cisco ACI can selectively send traffic to L4-L7 devices based, for instance, on the protocol and the Layer 4 port. 

Firewall inspection can be transparently inserted in a Layer 2 domain with almost no modification to existing routing and switching configurations. Cisco ACI also allows you to increase the capacity of L4-L7 devices by creating a pool of devices to which Cisco ACI can distribute traffic.

 

 

When to use a service graph

 

You can deploy firewalls and load balancers with Cisco ACI with or without a service graph. To decide whether or not you should use the service graph technology, you need to understand the problem the service graph solves.

The service graph concept is considered an extension to the concept of a contract, so, by default, it operates in the mode of a consumer and provider interface. This model is ideal for inserting firewalls or, more generally, L4-L7 devices between two security zones.

Note:     If you need to use a service graph for a firewall with multiple network edges (or DMZs), you will need to reuse the service graph multiple times between each pair of interfaces (or between each security zone and vzAny).

A service graph offers several advantages. Two of the biggest advantages are the capability to redirect traffic and the capability to automate the VLAN allocation between the L4-L7 device (when using virtual appliances) and the fabric.

A service graph offers the following advantages. It:

●      Automatically manages VLAN assignments for virtual appliances

●      Automatically connects virtual network interface cards (vNICs)

●      Provides a more logical, and an application-related, view of services

●      Can be configured with a redirect option, which simplifies the network design

Service graph redirect offers many advantages. It does the following:

●      Eliminates the need to make firewalls or load balancers the default gateway

●      Avoids the need for more complex types of designs, such as a virtual routing and forwarding (VRF) instance–L4-L7-device–VRF design

●      Avoids the need to split Layer 2 domains (bridge domains) to insert, for instance, a firewall in the traffic path

●      Allows you to redirect a subset of the traffic based on the protocol and port

●      Allows you to filter traffic between security zones in the same Layer 2 domain (bridge domain)

●      Allows you to scale the performance of the L4-L7 device by distributing traffic to multiple devices

 

 

Thanks and regards,

Tarakesh Jetti

Customer Success Specialist - CX Team.

 

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License