Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3435
Views
0
Helpful
1
Replies

Stateful Firewall with ACI Security Groups

maboutalib
Level 1
Level 1

‎06-12-2018 11:48 AM - edited ‎03-01-2019 01:45 PM

Team

 

 I have a question related to the Security Groups in ACI. Today in DC we add Stateful Firewall to filter the east-west traffic. With ACI when we create SG's or EPG's and we remove the appliances (L4-7) and we just create contracts between the EPG's, but we keep the L4-7 appliances mainly to filter the North-South traffic (between Web - App - DB tiers). 

 

The questions are,

 

- What features do I lose if I change the stateful firewall with a contract?

- Does that add risk and make the setup vulnerable? How?

- How to overcome this issue? as adding service chain inside the tier (ex. APP) would cause a performance issue. 

- Does Tetration solve this problem, how?

 

I truly appreciate your inout and if you have a document that talks about the same. 

 

Best Regards;

 

Maj

 

 

Labels:
0 Helpful
1 Reply 1

Lawrence Searcy
Cisco Employee
Cisco Employee

‎06-12-2018 02:46 PM

Tetration captures traffic on the network to allow you to create whitelist contracts in ACI

You should probably ask ACI the other questions. My understanding is that contracts are simple router ACLs and are not stateful.
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card