cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
334
Views
30
Helpful
8
Replies
Beginner

ACI New Deployment

Hello Cisco ACI Experts,

I have few questions regarding ACI as we are deploying it first time in our DC.

We will have mini 2xspine and 4x leaf (2x for srv farm & 2x border leafs)

Firepower 4100 as DC firewall

For LAN campus we have Cat-6800 and access switches cat-9300

My questions are

1 - Where we should create LAN campus users SVIs in ACI or in Cat-6800 ? (requirement is that users vlans should not communicate to each other)

2 - For Servers (e.g VMs) that resides in ACI network should we create there SVIs in ACI or at Firepower. What is the best practices?

 

Thanks & Regards,

8 REPLIES 8
VIP Advisor

Re: ACI New Deployment

There is good reading to understand where you can integrate with exiting network with ACI also securing the DC environment

 

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-737909.html

BB
*** Rate All Helpful Responses ***
Highlighted

Re: ACI New Deployment

The usual answer is 'it all depends'.

 

  1. For your LAN, I would never extend your VLANs/Subnets to ACI.
    It is not recommended to extend the failure domain of your LAN to your DC.
    You have decent equipment in your LAN, you can deploy multiple isolation techniques over there.

    Personally I would go for macro segmentation based on VRFs separated by your Firewall, inside the VRFs I would deploy micro segmentation based on SGT. (Firepower is also capable to filter on SGT, so you can also benefit from that.

  2. Both are possible, if it's a new deployment I would 100% put the default gateway in ACI.
    ACI is intended to work this way. You can then benefit from all ACI features.
    If you need next generation firewall services between 2 EPG's you can insert the firepower by using a service graph.
Beginner

Re: ACI New Deployment

Hello Bram,

 

Thanks for the reply!

 

1 - segmentation based on VRFs - does that means separate vrf for each VLAN(e.g department) or one vrf for all VLANs and then separation based on SGTs. Please explain.

 

2 - I agree with you for ACI as Gateway otherwise will lose features of ACI.

One questions from design perspective. Should i create multiple tenants or one tenant is enough?

What is the reason people deploy multiple tenants in an ACI enviroment?

 

Regards,

Beginner

Re: ACI New Deployment

Hi @arif.malik38 ,

For your Campus LAN, he means several VRFs, one for each departement (or building, or high level security zones, ...). Each VRF has uplink to the L7 FW, which controls inter-zone traffic. Intra-VRF traffic can be controled with ACLs or SGTs.

For the ACI part, from a technical perspective, the high level isolation is made with VRFs. A tenant is just a container of VRF(s), but is allows better manageability (all VRF-attached objects are under the same tree), easier cloning or deletion of VRF and subtree, and more granularity for Role-based Access to your Fabric resources. Using tenants also scales better because of some limits per tenant (e.g. max nb of EPGs, nb of L4-L7 device, etc...)

 

Remi Astruc

Re: ACI New Deployment

As per the @Remi I also recommended to create multiple tenets for your
fabric.

This will very help full for you to manage the fabric and also better to
future enhancements of your fabric and network.
Beginner

Re: ACI New Deployment

Thanks Remi,

 

Another question where should i connect Perimeter firewalls (internet/WAN). Direct to Border Leafs or to Campus Core (Cat-6800).

As per Cisco CVD WAN or Internet connects directly to ACI Border leaf switches. But in some ACI books i can see WAN/Internet is connecting to Campus Core Switch. What is the best practice for this?

 

Regards,

Cisco Employee

Re: ACI New Deployment

This is entirely up to you whether you want ACI to serve as the default GW or not for the LAN users. If you choose inside you can construct your EPGs/BDs in a way that VLANs are isolated and would only be able to communicate with contracts associated. 

Beginner

Re: ACI New Deployment

1 - Where we should create LAN campus users SVIs in ACI or in Cat-6800 :

option 1 : Put SVIs on 6800 and control the traffic by using ACL under each SVI.

option 2 : Put SVIs on FirePower and control the traffic by using ACL under each SVI.

option 3 : put SVIs on ACI and East - West traffic will be controlled by Contract since ACI is white List Model.

 

 

2 - For Servers (e.g VMs) that resides in ACI network should we create there SVIs in ACI or at Firepower. What is the best practices? :

Option 1 :  Put SVIs on ACI then east-West Traffic will be controlled by Contracts and North-South Traffic will be controlled by FirePower.

Option 2 : Put SVIs on FirePower  and all filtration will be on FireWall Level. but you will lose most of ACI features which will be not reasonable to Deploy ACI Fabric then.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards