Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1973
Views
30
Helpful
8
Replies

ACI New Deployment

arif.malik38
Level 1
Level 1

‎07-07-2019 11:28 PM

Hello Cisco ACI Experts,

I have few questions regarding ACI as we are deploying it first time in our DC.

We will have mini 2xspine and 4x leaf (2x for srv farm & 2x border leafs)

Firepower 4100 as DC firewall

For LAN campus we have Cat-6800 and access switches cat-9300

My questions are

1 - Where we should create LAN campus users SVIs in ACI or in Cat-6800 ? (requirement is that users vlans should not communicate to each other)

2 - For Servers (e.g VMs) that resides in ACI network should we create there SVIs in ACI or at Firepower. What is the best practices?

 

Thanks & Regards,

Labels:
0 Helpful
8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

‎07-08-2019 12:43 AM

There is good reading to understand where you can integrate with exiting network with ACI also securing the DC environment

 

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-737909.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Bram Van den Bosch
Level 1
Level 1

‎07-13-2019 11:53 AM

The usual answer is 'it all depends'.

 

  1. For your LAN, I would never extend your VLANs/Subnets to ACI.
    It is not recommended to extend the failure domain of your LAN to your DC.
    You have decent equipment in your LAN, you can deploy multiple isolation techniques over there.

    Personally I would go for macro segmentation based on VRFs separated by your Firewall, inside the VRFs I would deploy micro segmentation based on SGT. (Firepower is also capable to filter on SGT, so you can also benefit from that.

  2. Both are possible, if it's a new deployment I would 100% put the default gateway in ACI.
    ACI is intended to work this way. You can then benefit from all ACI features.
    If you need next generation firewall services between 2 EPG's you can insert the firepower by using a service graph.

arif.malik38
Level 1
Level 1
In response to Bram Van den Bosch

‎07-28-2019 11:05 AM

Hello Bram,

 

Thanks for the reply!

 

1 - segmentation based on VRFs - does that means separate vrf for each VLAN(e.g department) or one vrf for all VLANs and then separation based on SGTs. Please explain.

 

2 - I agree with you for ACI as Gateway otherwise will lose features of ACI.

One questions from design perspective. Should i create multiple tenants or one tenant is enough?

What is the reason people deploy multiple tenants in an ACI enviroment?

 

Regards,

0 Helpful

Remi Astruc
Level 1
Level 1
In response to arif.malik38

‎07-28-2019 03:08 PM

Hi @arif.malik38 ,

For your Campus LAN, he means several VRFs, one for each departement (or building, or high level security zones, ...). Each VRF has uplink to the L7 FW, which controls inter-zone traffic. Intra-VRF traffic can be controled with ACLs or SGTs.

For the ACI part, from a technical perspective, the high level isolation is made with VRFs. A tenant is just a container of VRF(s), but is allows better manageability (all VRF-attached objects are under the same tree), easier cloning or deletion of VRF and subtree, and more granularity for Role-based Access to your Fabric resources. Using tenants also scales better because of some limits per tenant (e.g. max nb of EPGs, nb of L4-L7 device, etc...)

 

Remi Astruc

chathurangaj@kbsl.lk
Level 1
Level 1
In response to Remi Astruc

‎07-28-2019 08:14 PM

As per the @Remi I also recommended to create multiple tenets for your
fabric.

This will very help full for you to manage the fabric and also better to
future enhancements of your fabric and network.

arif.malik38
Level 1
Level 1
In response to Remi Astruc

‎07-30-2019 01:32 AM

Thanks Remi,

 

Another question where should i connect Perimeter firewalls (internet/WAN). Direct to Border Leafs or to Campus Core (Cat-6800).

As per Cisco CVD WAN or Internet connects directly to ACI Border leaf switches. But in some ACI books i can see WAN/Internet is connecting to Campus Core Switch. What is the best practice for this?

 

Regards,

0 Helpful

micgarc2
Cisco Employee
Cisco Employee

‎07-14-2019 10:15 AM

This is entirely up to you whether you want ACI to serve as the default GW or not for the LAN users. If you choose inside you can construct your EPGs/BDs in a way that VLANs are isolated and would only be able to communicate with contracts associated. 

alieson
Level 1
Level 1

‎07-14-2019 11:53 PM

1 - Where we should create LAN campus users SVIs in ACI or in Cat-6800 :

option 1 : Put SVIs on 6800 and control the traffic by using ACL under each SVI.

option 2 : Put SVIs on FirePower and control the traffic by using ACL under each SVI.

option 3 : put SVIs on ACI and East - West traffic will be controlled by Contract since ACI is white List Model.

 

 

2 - For Servers (e.g VMs) that resides in ACI network should we create there SVIs in ACI or at Firepower. What is the best practices? :

Option 1 :  Put SVIs on ACI then east-West Traffic will be controlled by Contracts and North-South Traffic will be controlled by FirePower.

Option 2 : Put SVIs on FirePower  and all filtration will be on FireWall Level. but you will lose most of ACI features which will be not reasonable to Deploy ACI Fabric then.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License