Hello Cisco ACI Experts,
I have few questions regarding ACI as we are deploying it first time in our DC.
We will have mini 2xspine and 4x leaf (2x for srv farm & 2x border leafs)
Firepower 4100 as DC firewall
For LAN campus we have Cat-6800 and access switches cat-9300
My questions are
1 - Where we should create LAN campus users SVIs in ACI or in Cat-6800 ? (requirement is that users vlans should not communicate to each other)
2 - For Servers (e.g VMs) that resides in ACI network should we create there SVIs in ACI or at Firepower. What is the best practices?
Thanks & Regards,
There is good reading to understand where you can integrate with exiting network with ACI also securing the DC environment
The usual answer is 'it all depends'.
Thanks for the reply!
1 - segmentation based on VRFs - does that means separate vrf for each VLAN(e.g department) or one vrf for all VLANs and then separation based on SGTs. Please explain.
2 - I agree with you for ACI as Gateway otherwise will lose features of ACI.
One questions from design perspective. Should i create multiple tenants or one tenant is enough?
What is the reason people deploy multiple tenants in an ACI enviroment?
Hi @arif.malik38 ,
For your Campus LAN, he means several VRFs, one for each departement (or building, or high level security zones, ...). Each VRF has uplink to the L7 FW, which controls inter-zone traffic. Intra-VRF traffic can be controled with ACLs or SGTs.
For the ACI part, from a technical perspective, the high level isolation is made with VRFs. A tenant is just a container of VRF(s), but is allows better manageability (all VRF-attached objects are under the same tree), easier cloning or deletion of VRF and subtree, and more granularity for Role-based Access to your Fabric resources. Using tenants also scales better because of some limits per tenant (e.g. max nb of EPGs, nb of L4-L7 device, etc...)
Another question where should i connect Perimeter firewalls (internet/WAN). Direct to Border Leafs or to Campus Core (Cat-6800).
As per Cisco CVD WAN or Internet connects directly to ACI Border leaf switches. But in some ACI books i can see WAN/Internet is connecting to Campus Core Switch. What is the best practice for this?
This is entirely up to you whether you want ACI to serve as the default GW or not for the LAN users. If you choose inside you can construct your EPGs/BDs in a way that VLANs are isolated and would only be able to communicate with contracts associated.
1 - Where we should create LAN campus users SVIs in ACI or in Cat-6800 :
option 1 : Put SVIs on 6800 and control the traffic by using ACL under each SVI.
option 2 : Put SVIs on FirePower and control the traffic by using ACL under each SVI.
option 3 : put SVIs on ACI and East - West traffic will be controlled by Contract since ACI is white List Model.
2 - For Servers (e.g VMs) that resides in ACI network should we create there SVIs in ACI or at Firepower. What is the best practices? :
Option 1 : Put SVIs on ACI then east-West Traffic will be controlled by Contracts and North-South Traffic will be controlled by FirePower.
Option 2 : Put SVIs on FirePower and all filtration will be on FireWall Level. but you will lose most of ACI features which will be not reasonable to Deploy ACI Fabric then.