Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1052
Views
0
Helpful
2
Replies

Suggestions Required..!

faizal_vi
Level 1
Level 1

‎11-22-2017 03:52 AM - edited ‎03-01-2019 05:22 AM

Hi All, I am very much new to the ACI architecture . I have a new deployment coming up. I have attached the the diagram with physical connection. I would like to know whether this is a feasible thing in an ACI architecture. We are firewalling all traffic between the user segment and the servers.Firewall is not integrated with APIC.

 

Server VLAN's GW is the firewall interface. Currently all servers and vm will be configured as baremetal devices. The servers should be able to communicate with out the need of any contracts. May be in same EPG. All the servers should have redundant links to LEAF switches. But there is no VPC in place.We have restrictions in the VM end to create LACP.It will be done in future. Hope we have STP block loops.

 

The access-layer contains multiple vlans . All vlans are distributed over the access switches.Can ACI switch act switch traffic between these vlans(like inter-vlan routing)?

Also I would like this network to go out to Firewall for access to server and internet...Can we have a default route to the Firewall interface? How should I segment this Servers and Access Layer part? using different Tenants or with Multiple VRF under a single tenant?

 

Appreciate your valuable suggestions and feedback

Labels:
Preview file
62 KB
0 Helpful
2 Replies 2

gmonroy
Cisco Employee
Cisco Employee

‎11-22-2017 01:09 PM

faizal_vi,

    The first question I always like to ask, which I believe you already answered, is "Where is the Gateway of the Devices in question?". 

 

You mentioned that for the "Server Farm", the Default gateway is going to be on the Firewall. This tells me that for that VLAN, ACI will need to act as L2. This means that you can extend a single EPG to both your Devices interfaces and to the Firewall interface (assuming it can trunk). Having both links in a single EPG is one method to ensure you do not need to place contracts between them for policy enforcement. Having the Gateway on the Firewall means that all routing between VRFs/VLANs will need to happen at, or beyond, the Firewall. ACI will not do any routing for that segment.

 

This also means you may need to instead look at using a trunk or access interface on the firewall, and having some SVI or loopback/VIP act as the gateway address on the FW.

 

So assuming your Server Farm is on a Unique VLAN from your Access switches with the firewall acting as the gateway for both the Server VLAN and existing Access VLANs:

Assumed that Server VLAN and Access VLANs are Unique. Also where is the Gateway for Access VLANs 10/20/30?Assumed that Server VLAN and Access VLANs are Unique. Also where is the Gateway for Access VLANs 10/20/30?

Your routing would need to happen on the firewall itself. 

 

Points for clarification:

  1. Where is the Gateway for Access VLANs 10/20/30?
  2. Is the Server Farm using a unique VLAN?

 

-Gabriel

 

0 Helpful

faizal_vi
Level 1
Level 1
In response to gmonroy

‎11-22-2017 06:40 PM - edited ‎11-22-2017 06:57 PM

Hi ,

Thank you for the clarifications.

The server part is actually clear to me.

 

With regard to your queries.... 

Points for clarification:

Where is the Gateway for Access VLANs 10/20/30? We plan it to have in the ACI itself.We actually wanted the intervlan routing to be done in ACI itself . The logic behind this is to reduce the overhead on the firewall. 

 


Is the Server Farm using a unique VLAN?Yes

 

 

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License