Re: ACI Intra EPG with Firewall

bilalhussain · ‎11-24-2018

Hi - we want to deploy firewall for our intra EPG communication.

For that our Firewall will have three contexts / virtual systems. Each EPG will connect to its own context / virtual system.

EPG 1 <----> Context / VS 1

EPG 2 <----> Context / VS 2

EPG 3 <----> Context / VS 3

For example, if a subnet within EPG 1 wants to talk to another subnet within same EPG 1, traffic will hit the firewall and then come back.

For above we need to understand how to design communication between EPG1 and Context / VS 1.

Would we be using layer 3 ?

Do we need sub-interface on Context / VS 1 or can we use main interface. if sub-interface then why ?

Do we need only one interface for in and out traffic on Context / VS 1 ?

What protocol we can use or would static work better better between EPG1 and Context / VS1?

Is there any document to refer for Intra communication design using firwall which I can follow.

Any other useful info would be helpful.

Thanks.

6askorobogatov · ‎11-24-2018

Could you please explain your design a bit more ... that part for example :

"For example, if a subnet within EPG 1 wants to talk to another subnet within same EPG 1, traffic will hit the firewall and then come back."

bilalhussain · ‎11-24-2018

Thats called as EPG micro segmentation.

! app server 1

CONTEXT / VS 1 ----- APP EPG ----! app server 2

! app server 3

Want to use firewall for INTRA EPG communication between app server 1, app server 2, app server 3

We want to know things on FW side and communication between EPG and CONTEXT / VS 1, how to setup if you read Qs in first post.

6askorobogatov · ‎11-25-2018

ACI uSeg is a segmentation in a way similar to PVLAN communities, a layer 2 devision that normally cannot use L3 device for connectivity.

Theoretically you can attach your EPG to a BD with wider subnet and after that create uSeg EPGs with shorter subnets (let’s say you BD is /24 and uSeg EPGs have device with /26 for 4 uSeg EPGs), attach firewall interfaces as static ports to EPG and some how get them to the corresponding uSeg EPGs and make you servers to use FW as a gateway.

IMO much more practical solution will be to use separated EPGs and BDs and firewall in between. You can also use l4-l7 , but with 3 leg FW it is also complicated.

bilalhussain · ‎11-26-2018

thanks for your reply. so in above case for intra epg communcation using firewall context, would the connection between epg and context be layer 3 or layer 2. Secondly do we need 2 connections between context and epg, one for in traffic and other for out ?

6askorobogatov · ‎11-26-2018

i think you misunderstood me. The above is not a solution, it is hack. In general, micro-segmentation is not designed for multi-tier application with firewall in between.

bilalhussain · ‎11-26-2018

I think you can use firewall or load balancer in micro segmentation.

if you see this article it says "Insert L4-L7 load balancer or firewall services between micro-segments defined using workload VM or network attributes""

https://blogs.cisco.com/datacenter/microsegmentation-with-cisco-aci

6askorobogatov · ‎11-26-2018

It's a bit different. I believe this blog (and whitepaper on the topic) talks about contracts with L4-L7 service graph.

ACI Intra EPG communication