Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
606
Views
0
Helpful
1
Replies

ACI L4-L7 service graph re-direct

sandevsingh
Level 1
Level 1

‎10-17-2018 09:24 AM - edited ‎03-01-2019 05:40 AM

Hi folks, I am trying to understand the ACI`s l4-l7 service graph re-direction. Use case is, lets say that external EPG needs to talk to the WEB EPG but traffic needs to be inspected and filtered by an ASAv firewall (unmanaged node in ACI). So you would insert the service-graph that contains the defined ASAv node in the contract. Note- the WEB EPG has its default-gateway/subnet configured under its BD. (Which basically means on the ACI leafs).

So how can you have the firewall inspect and filter the traffic if it is not the default-gateway for the Web EPG/vlan? Where would you apply the ACL on???

 

Thnx

Labels:
0 Helpful
1 Reply 1

Ziga M
Level 1
Level 1

‎10-21-2018 09:55 AM

as your title suggest - you insert redirect service graph and Leaf will redirect traffic to FW. FW can be 1arm or 2arm - 1arm is simpler from routing perspective. If you have "old" swithes (non-EX , non-FX), traffic needs to pass leaf - meaning you can't have L3out, service node and web epg on the same leaf.

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License