05-06-2021 08:51 PM
Dear Cisco,
We have ACI with Application Centric Deployment that use Contract for communication between EPGs, Since this policy cause TCAM exhaustion we want to move the security part to the ASA Firewall using an Service Graph PBR.
Is there any tools that we can use to convert the Contract filter on ACI to move into an access list on ASA devices ?
05-09-2021 09:52 AM
Hello!
Not to my knowledge - no.
Sorry and best regards
Julian
05-10-2021 05:44 AM
This doesn't exist. There's vast differences between an ACL on ACI and legacy security devices. Namely, ACI doesn't align policy with networking constructs (VLANs/MAC/IPs/Subnets) alone. The EPG (source classID) is what's used to apply security ACLs (Protocols/Ethertypes etc) on a source/destination so an ACL (filter/contract) on ACI != ACL on ASA
Robert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide