cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2822
Views
0
Helpful
1
Replies
maboutalib
Beginner

Stateful Firewall with ACI Security Groups

Team

 

 I have a question related to the Security Groups in ACI. Today in DC we add Stateful Firewall to filter the east-west traffic. With ACI when we create SG's or EPG's and we remove the appliances (L4-7) and we just create contracts between the EPG's, but we keep the L4-7 appliances mainly to filter the North-South traffic (between Web - App - DB tiers). 

 

The questions are,

 

- What features do I lose if I change the stateful firewall with a contract?

- Does that add risk and make the setup vulnerable? How?

- How to overcome this issue? as adding service chain inside the tier (ex. APP) would cause a performance issue. 

- Does Tetration solve this problem, how?

 

I truly appreciate your inout and if you have a document that talks about the same. 

 

Best Regards;

 

Maj

 

 

1 REPLY 1
Lawrence Searcy
Cisco Employee

Tetration captures traffic on the network to allow you to create whitelist contracts in ACI

You should probably ask ACI the other questions. My understanding is that contracts are simple router ACLs and are not stateful.