ACI routing to L4-L7 Firewall in L3 mode

Alexander Pickar · ‎03-14-2017

How can we solve following routing design on Cisco ACI?

Topology description

- We have a Frontend EPG with web server, built on top of a L3 Bridge domain 10.1.1.0/24. Default gateway 10.1.1.1 is provided by Cisco ACI.

- We use a L3 firewall using L4-L7 service graph. The corresponding interface with IP address 10.1.1.2 is attached to the Frontend EPG.

- The same firewall has a second interface with IP address 10.2.2.1. This interface is member of Database EPG, built on top of a L2 bridge domain (the IP address range would be 10.2.2.0/24, but since it is a L2 bridge domain, we don't have to specify it anywhere).

- Web server in Frontend EPG uses 10.1.1.1 (ACI) as a default gateway.

- Database in Database EPG uses 10.2.2.1 (Firewall) as a default gateway.

How can we instruct ACI to send traffic destined to subnet 10.2.2.0/24 to the Firewall IP address 10.1.1.2?

In other words, on ACI, how can we configure "ip route 10.2.2.0 255.255.255.0 10.1.1.2" ?

(As a workaround, we have to ad a static route directly to the Web server, but we'd rather keep it with just the default route)

Please see the attached topology diagram.

Thanks,

Alexander

Marcel Zehnder · ‎03-15-2017

You need an additional L3-Out in your demo-VRF and change the 10.1.1.2 interface on your firewall to a transit network. You also need to change the service graph then (one side epg the other side external network).

It maybe easier to deploy your firewall in transparent (L2, go-through) mode between the frontend and database EPG - but then you need to re-address the servers in your database EPG (default gateway will be 10.1.1.1 in bd web-server1).

HTH

Marcel

Alexander Pickar · ‎03-17-2017

Hi there,

Where can a route be applied in case of a L3 virtual firewall?

In our case, this is a firewall on a VM domain integrated with the Cisco ACI fabric.

Thanks,

Alexander