Hi Ziad

Ziad El Achkouty · ‎01-12-2017

Hello,

I integrated ASAv with ACI and applied it between two EPGs each in a different BD and with a different subnet. Whenever I set the default gateway of the endpoints to the ASAv the ping between the two EPGs works however, when i set the default gateway as the ACI, the ping between the two EPGs doesn't work and the traffic isn't redirected to the ASAv

Shouldn't the default gateway always be the ACI?

Gaurav Gambhir · ‎01-12-2017

ACI as Default Gateway will only work if ASA is natting for the server EPG subnet in the middle.

Consumer will use a local local ip address within the subnet which ASA will nat, so ASA doesn't have to be the default gateway for the client.

refer :

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/L4-L7_Service_Graph_Deployment_Guide/b_L4L7_Service_Graph_Deploy_ver122g/b_L4L7_Service_Graph_Deploy_ver122x_chapter_0110.html#d21175e411a1635

If you want to have ACI as default gateway and no nat on ASA, consider route-peering mode.

refer:

http://www.cisco.com/c/en/us/support/docs/cloud-systems-management/application-policy-infrastructure-controller-apic/200407-L4-L7-Route-Peering-with-Transit-Fabric.html

Ziad El Achkouty · ‎01-13-2017

doesn't route peering require L3 out ?

Gaurav Gambhir · ‎01-13-2017

Yes Ziad, route-peering requires L3out to the ASA.

Vahid Tavajjohi · ‎01-23-2017

Hi Ziad

if you don't want use L3out, you can use PBR instead and bring your ASA between EPGs. and don't forget enable BD unicast routing in this case.

Regards

Default Gateway ASAv