cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1915
Views
5
Helpful
9
Replies

DMZ GW and Microsegmentation

neroshake
Level 1
Level 1

Hello!

I am planning to put my DMZ network in separate VRF in COmmon tennant and also I need to implement microsegmentation within DMZ (in fact Intra EPG isolation works fine, since the VMs within DMZ should talk each to other at all). DMZ GW is a Firepower interface out of fabric. So the machines inside DMZ shouldnt be able to talk each to other but they should be able to reach their gateway, which is a Firepower outside of the fabric. What is the best way to accomplish this? I am thinking of two options:

1. Put GW in separate EPG as statically deployed to Leaf/Path and allow all traffic between EPGs using contracts.
2. Put GW in the same DMZ EPG and enforce intra EPG contracts.

Maybe there are other more recommended options?

Thank you!
Nero

9 Replies 9

Sergiu.Daniluk
VIP Alumni
VIP Alumni

Hi,

If ALL your existing and future VMs from DMZ network do not need to communicate between them, then easiest solution, in my opinion, is option1: enable Intra EPG isolation and configure the DMZ GW in a different EPG. Ofc in this situation you need to be aware that you cannot have your GW connected to the same leaf where your servers are, assuming that same vlan encap is used. Well, not entirely true as you can use VLAN Port Local Scope, but still something you need to keep in mind.

 

Regards,

Sergiu

Hi Sergiu,
Unfortunately the GW will be connected to the same leaf where servers are, because I have just two leaves and servers are connected to VPC.

Is there any other option to consider? Right now none of systems will need to communicate with another in DMZ but in future there can be a case. So I would appreciate any other recommended options as well.
Thanks!
Nero.


@neroshake wrote:
Hi Sergiu,
Unfortunately the GW will be connected to the same leaf where servers are, because I have just two leaves and servers are connected to VPC.

Solution for this is simple - VLAN Port Local Scope. This will allow different ports on same leaf can use same vlan to be mapped to different EPGs.

 


Right now none of systems will need to communicate with another in DMZ but in future there can be a case. So I would appreciate any other recommended options as well.

uEPG might be then a better solution. You can use uSeg EPG for both endpoints connected to a Physical Domain (your GW) and you can classify it based on IP or MAC address, and also endpoints connected to VMM domains where you can classify based on IP, MAC or VM attributes. So you can create 3 uEPGs: GW_uEPG, Restricted_uEPG (with Intra EPG isolation enforced - here you will classify the VMs which do not need to communicate between them) and Unenforced_uEPG (with Intra EPG isolation unenforced - for the future VMs which will require to communicate between them). Then you can control the communication between uEPGs with contracts.

 

Hope it helps,

Sergiu

Thank you Sergiu!
As I understand in case of uSeg there is no need for VLAN Port Local Scope, right?

Best,
Nero

No need

Hi @neroshake , @Sergiu.Daniluk ,

Not exactly.

Option 1 is fully supported with Vlan Scope Global as long as you set a different Encap Vlan in EPG GW and in EPG Servers.

Remi Astruc

Hi @Remi-Astruc 

I presumed that same vlan encap is used for DMZ servers and GW, that's why I mentioned about Scope Local  :-) But looking back to the original question, DMZ servers are VMs, which means most likely a VMM domain => different vlan encap. If there are also phy servers, there is a high possibility to have same vlan encap present.

Anyway, for the current and future constrains, the uSeg EPGs is the right approach.

 

Cheers,

Sergiu

Hi @Sergiu.Daniluk ,

OK but that's not really the point. Let me rephrase it differently:

Option 1 is fully supported with Vlan Scope Global as long as you set an Encap Vlan in EPG "GW" which is different from the Encap Vlan in EPG "Servers". No matter what server types are.

The other assumptions you do can be discussed but out of the initial topic I guess.

 

Remi Astruc

Hi @Remi-Astruc 


@Remi-Astruc wrote:

Option 1 is fully supported with Vlan Scope Global as long as you set an Encap Vlan in EPG "GW" which is different from the Encap Vlan in EPG "Servers". No matter what server types are.


Correct. That's how EPG-vlan mapping works with global vlan scope. But once again, in practice, your servers will be in same vlan as their gateways (most of the times). So generally speaking, if you have only one leaf, and you want to separate the GW and servers in different EPGs, then global scope does not help.

 

Cheers,

Sergiu

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Save 25% on Day-2 Operations Add-On License