cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1360
Views
0
Helpful
2
Replies
dongfzha
Cisco Employee

Question about ACI connections

Hello, everyone, there is a question about ACI confused me, need your help.

In the network design, all devices like firewalls, load balancers, routers, are connected to leaf, does it just recommend or it must do like that. Can I connect a router or a firewall to a spine?

 

Look forward to your reply, thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Nik Noltenius
Beginner

Hi,

to my knowledge you cannot connect firewalls or routers to the spine layer. The only exception I'm aware of is if you try to stretch your fabric across multiple DC sites (inter pod network or multi-pod depending on what mood Cisco is in; http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-737855.html).

Maybe someone else can give you more details on the reasons but I think it's because only leaf-switches enforce policies and spine switches contain different ASICs dedicated to spine stuff (e.g. they provide a database for End-Point to leaf-switch access-port mapping so you don't need ARP).

Also with a service-leaf (pair) you provide the same latency to your L3-Out from every access port in the network. If you'd connect your router to the spine you would probably not be able to attach them to all your spines as the fabric grows in a scale-out kind of fashion.

Regards,

Nik

View solution in original post

2 REPLIES 2
Nik Noltenius
Beginner

Hi,

to my knowledge you cannot connect firewalls or routers to the spine layer. The only exception I'm aware of is if you try to stretch your fabric across multiple DC sites (inter pod network or multi-pod depending on what mood Cisco is in; http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-737855.html).

Maybe someone else can give you more details on the reasons but I think it's because only leaf-switches enforce policies and spine switches contain different ASICs dedicated to spine stuff (e.g. they provide a database for End-Point to leaf-switch access-port mapping so you don't need ARP).

Also with a service-leaf (pair) you provide the same latency to your L3-Out from every access port in the network. If you'd connect your router to the spine you would probably not be able to attach them to all your spines as the fabric grows in a scale-out kind of fashion.

Regards,

Nik

View solution in original post

Blake Parker
Beginner

Depending on your load, it might be needed to have both dedicated border leafs as well as service leafs.  The difference between the two types of leafs is a follows:

Dedicated Border Leaf:  dedicated to L3Out functionality to external L3 devices such as routers or firewalls.

Dedicated Service Leaf:  dedicated to L4-7 functionality to devices such as ADC (load balancer) or IDS/IPS devices.

As far as connectivity of devices to the spine switches directly, the only use case for that in a multi-pod or multi-site scenario where the IPN (Inter Pod Network) edge routers are connected directly to the spines.