Nexus 9000 and Traffic Filtering

Ryan17 · ‎06-29-2015

Hello,

I have a pair of Nexus 9396px switches in NX-OS mode running

I'm wondering if there is a better way to manage ACLs or if ACI mode would allow me to have something closer to FW rules for filtering internal traffic.

dpita · ‎06-30-2015

Hello,

Thank you for using support forums!

I will try to answer your question. ACI definitely can provide a better way to manage ACLs, in essence, by creating a white list approach to communication. In ACI, what is known as a contract will specifically allow communication between 1 group of like devices (an Endpoint Group or EPG) to a second EPG.

Say you only wanted to allow HTTP traffic from one EPG to another, just slap a HTTP contract between them and thats the only open port. This EPG can have multiple VLANs or subnets inside and they can all communicate freely since they are the same EPG, but are restricted to leaving the EPG.

What exactly are you looking for when you talk about traffic filtering if i may ask?

In the mean time, check out these two articles on ACI and contracts

http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps13004/ps13460/white-paper-c11-729906_ns1261_Networking_Solutions_White_Paper.html

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals/b_ACI-Fundamentals_chapter_010001.html#concept_9241D40AD01249C0992D486359CF4667

Ryan17 · ‎06-30-2015

Thank you for your reply.

Basically, I've been using ACLs to restrict traffic between sites across a private WAN.

And these ACLs have gotten long and unruly.

We are looking into adding some dedicated internal firewalls to facilitate better rule management but I'm just trying to make sure I don't already have a proper way to do this without buying more gear.

I will check out these links. thank you.

Does anyone know of any enterprises that are using ACI in anything more than a LAB / Pilot?