11-24-2018 06:58 AM - edited 03-01-2019 05:42 AM
Hi - we want to deploy firewall for our intra EPG communication.
For that our Firewall will have three contexts / virtual systems. Each EPG will connect to its own context / virtual system.
EPG 1 <----> Context / VS 1
EPG 2 <----> Context / VS 2
EPG 3 <----> Context / VS 3
For example, if a subnet within EPG 1 wants to talk to another subnet within same EPG 1, traffic will hit the firewall and then come back.
For above we need to understand how to design communication between EPG1 and Context / VS 1.
Would we be using layer 3 ?
Do we need sub-interface on Context / VS 1 or can we use main interface. if sub-interface then why ?
Do we need only one interface for in and out traffic on Context / VS 1 ?
What protocol we can use or would static work better better between EPG1 and Context / VS1?
Is there any document to refer for Intra communication design using firwall which I can follow.
Any other useful info would be helpful.
Thanks.
11-24-2018 07:15 AM
Could you please explain your design a bit more ... that part for example :
"For example, if a subnet within EPG 1 wants to talk to another subnet within same EPG 1, traffic will hit the firewall and then come back."
11-24-2018 07:47 AM
Thats called as EPG micro segmentation.
! app server 1
CONTEXT / VS 1 ----- APP EPG ----! app server 2
! app server 3
Want to use firewall for INTRA EPG communication between app server 1, app server 2, app server 3
We want to know things on FW side and communication between EPG and CONTEXT / VS 1, how to setup if you read Qs in first post.
11-25-2018 01:30 PM
11-26-2018 12:51 AM
thanks for your reply. so in above case for intra epg communcation using firewall context, would the connection between epg and context be layer 3 or layer 2. Secondly do we need 2 connections between context and epg, one for in traffic and other for out ?
11-26-2018 07:30 AM
i think you misunderstood me. The above is not a solution, it is hack. In general, micro-segmentation is not designed for multi-tier application with firewall in between.
11-26-2018 07:35 AM
I think you can use firewall or load balancer in micro segmentation.
if you see this article it says "Insert L4-L7 load balancer or firewall services between micro-segments defined using workload VM or network attributes""
https://blogs.cisco.com/datacenter/microsegmentation-with-cisco-aci
11-26-2018 09:14 AM
It's a bit different. I believe this blog (and whitepaper on the topic) talks about contracts with L4-L7 service graph.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide