04-24-2019 09:23 AM
I'm sure there's something I don't understand or missing, but here goes: I have one Tenant (TEST), one VRF (TEST), one AP with epg314 (vlan 314) and one AP with epg315 (vlan315). I also have 2 BD's, bd314 and bd315, in VRF TEST. I also configured external routed network with static route towards a HA FW. Configured with vpc and using vlan 3102. In the FW log, i can se traffic from epg314 to the firewall, and also from epg315 to the firewall. Both epg's have a contract for using the l3out, consumed. And the l3out has a provided contract. I know that I can have a contract saying that epg314 and epg315 can communicate. But I want traffic between the 2 epg's to go through the firewall. But i can not see traffic between epg314 and epg315 hits the firewall. So this traffic must be stopped within the tenant. How can I make the epg's communicate through the firewall?
04-25-2019 01:39 AM
Hello,
While your 2 BDs are attached to the same VRF, you have no chance to route traffic from one to the other via an L3Out. That's also true in traditional networking.
2 options for that:
- Split the VRF and L3Out into 2, one VRF for each BD, and each having an L3Out to the FW
- Use Service Graph PBR integrating your FW, but that would need a complete redesign of you infra, with FW in a BD
Otherwise forget about controlling this traffic in your FW, and control it using an ACI contract only.
Remi Astruc
04-25-2019 02:16 AM
Thx for the reply.
Yes your are correct. The routingtable on the leaf's shows that it knows the 2 subnets so this would not work.
Splitting in more VRF's is not were we want to go now.
So we started looking into PBR. What doc's do you recommend for this?
Br
Geir
04-25-2019 02:50 AM
Hi,
Design details:
How to configure:
Remi Astruc
04-25-2019 03:31 AM
Thx again.
We will look into pbr during the next couple of workingdays.
But would you consider contracts as better solution?
Br
Geir
04-25-2019 04:31 AM
Hi,
It depends on your security governance or the operational feasibility.
Contracts are Layer4 and stateless ACLs. They are not FW, and can have scalability or operational limits if too numerous.
Remi Astruc
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide