Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
776
Views
5
Helpful
1
Replies

Contract between 2 EPG with external Default Gateway

Fabio Bustamante
Level 1
Level 1

‎01-21-2019 10:20 AM - edited ‎03-01-2019 05:45 AM

Hi.

 

We're having a discussion since some managers are reluctant to migrate the default gateways from Nexus 7k to ACI, given the business impact on their sensible applications. They were asking about the ability to filter on ACI without migrating the SVIs. It really doesn't make to much sense to me, since I told them that the L3 device will perform the filtering, and we need the gateways on ACI in order to create the contracts between different EPGs. I even perform a quick test on another TENANT, with 2 machines on different EPGs, same bridge-domain, with their default gateways on an external device (SVI on Nexus 7k, static ports association on each EPG), and no matter what contract I created, the machines could always communicate between each other. I could create a contract between a machine and its exernal gateway, and it worked, but I couldn't filter traffic between machines on different EPGs.

 

They insist there's Cisco documentation that states that it is possible to segment traffic on ACI without having the gateways on the fabric, but I honestly wouldn't think it is possible. Since I'm not 100% sure, I decided to post this discussion here, so anyone could give us their thoughts and ideas. Our aim is to restrict communication between different servers (Application Centric Model), permitting only what each server needs. Is there a way to do it properly on ACI without moving the SVIs? Any concept, option or feature we don't know or we're missing? It just doesn't make sense to me since I would think ACI is forcing an ACL on the underlay, and it would apply it on the gateway; but I wanted to hear oppinions from the community.

 

Thanks!

 

Fabio.

 

Labels:
0 Helpful
1 Reply 1

Remi Astruc
Level 1
Level 1

‎01-22-2019 02:04 PM

Hi Fabio,

 

I would really recommend not to do that. There are numerous drawbacks and limitations.

 

You will need to disable L3 Configuration and Unicast Routing in the Bridge Domains. Then you will manage/view all your Endpoints with MAC addresses only. The Fabric will not enhance Endpoint detection by ARPing destinations.

Let's assume you have 2 Subnets/BDs A and B. You'll need to create an EPG for SVI A. But because of inter-SVI routing, that EPG will also represent all the Endpoints located in Subnet B, which are in reality in other EPGs attached to BD B...

Setting a contract between EPG Subnet A and EPG Subnet B will just not work. You'll need EPG A to SVI A, then SVI B to EPG B.

Routing outside the Fabric should really be avoided except using L3Outs.

Your SVI devices will be the bottleneck of your network and will break the scale-out concept of distributed routing.

Forget about VRF Route-Leaking, PBR, ...

And so on...

I'm not even talking about the financial impact of using an ACI Fabric with 80% of features unused.

 

Hope you'll convince your managers for the sake of your network team!

 

Remi Astruc

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License