Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1122
Views
0
Helpful
5
Replies

Static L3out to FW with 2 EPGs in same tenant/vrf using l3out

Geir Sand-Strand
Level 1
Level 1

‎04-24-2019 09:23 AM

I'm sure there's something I don't understand or missing, but here goes: I have one Tenant (TEST), one VRF (TEST), one AP with epg314 (vlan 314) and one AP with epg315 (vlan315). I also have 2 BD's, bd314 and bd315, in VRF TEST. I also configured external routed network with static route towards a HA FW. Configured with vpc and using vlan 3102. In the FW log, i can se traffic from epg314 to the firewall, and also from epg315 to the firewall. Both epg's have a contract for using the l3out, consumed. And the l3out has a provided contract. I know that I can have a contract saying that epg314 and epg315 can communicate. But I want traffic between the 2 epg's to go through the firewall. But i can not see traffic between epg314 and epg315 hits the firewall. So this traffic must be stopped within the tenant. How can I make the epg's communicate through the firewall?

Labels:
Preview file
127 KB
0 Helpful
5 Replies 5

Remi Astruc
Level 1
Level 1

‎04-25-2019 01:39 AM

Hello,

While your 2 BDs are attached to the same VRF, you have no chance to route traffic from one to the other via an L3Out. That's also true in traditional networking.

2 options for that:

- Split the VRF and L3Out into 2, one VRF for each BD, and each having an L3Out to the FW

- Use Service Graph PBR integrating your FW, but that would need a complete redesign of you infra, with FW in a BD

Otherwise forget about controlling this traffic in your FW, and control it using an ACI contract only.

 

Remi Astruc

 

0 Helpful

Geir Sand-Strand
Level 1
Level 1
In response to Remi Astruc

‎04-25-2019 02:16 AM

Thx for the reply.

Yes your are correct.  The routingtable on the leaf's shows that it knows the 2 subnets so this would not work.

Splitting in more VRF's is not were we want to go now.

So we started looking into PBR.  What doc's do you recommend for this?

 

Br

Geir

0 Helpful

Geir Sand-Strand
Level 1
Level 1
In response to Remi Astruc

‎04-25-2019 03:31 AM

Thx again.

We will look into pbr during the next couple of workingdays.

But would you consider contracts as better solution?

 

Br

Geir

0 Helpful

Remi Astruc
Level 1
Level 1
In response to Geir Sand-Strand

‎04-25-2019 04:31 AM

Hi,

It depends on your security governance or the operational feasibility.

Contracts are Layer4 and stateless ACLs. They are not FW, and can have scalability or operational limits if too numerous.

 

Remi Astruc

 

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License