Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13261
Views
31
Helpful
9
Replies

ACI - Default Gateway Question

Go to solution
udo.konstantin
Level 1
Level 1

‎06-16-2017 11:05 PM - edited ‎03-01-2019 05:15 AM

Hello,

in a given ACI Design we are following the network centric approach. 

The "old" VLAN structure ist mapped to

One BD = one EPG = one Subnet

The default gateway for all BDs should be the firewall. In our case there are around 50 BDs 

My questions:

Is it necessary to configure the subnet (*.*.*.1) for the BD even if we had the firewall as the default gateway (IP *.*.*.254)

The firewall ist connected through dot1q port to act as the def. gateway for all the subnets within the BDs. Should this a separate EPG?

Communication between all the EPGs in the different BDs should be allowed through contracts and should only be controlled by the firewall. What will be the best solution for that?

Thanks

Udo 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
RedNectar
VIP
VIP

‎06-17-2017 02:48 PM

Hi Udo

[Edit: Sorry - it looks like I'm a bit late to the table, for some reason my browser didn't show the other answers when I wrote this, so I thought it was unanswered]

Is it necessary to configure the subnet (*.*.*.1) for the BD even if we had the firewall as the default gateway (IP *.*.*.254)

No... but...

If you want the ACI switches to learn the IP addresses of the attached devices, you need to:

  1. Ensure that IP routing is enabled for the BD
  2. Ensure the BD has an IP address

So if DON'T configure the IP subnet on the BD, the ACI fabric will NOT learn the IP addresses of the devices in that BD and therefore you won't see the IP addresses. 

The firewall ist connected through dot1q port to act as the def. gateway for all the subnets within the BDs. Should this a separate EPG?

If you are following the formula One BD = one EPG = one Subnet, then there are a couple of ways to implement the firewall.  The simplest is to statically map each EPG to its corresponding dot1q VLAN on the interface that is connected to the firewall.  That will ensure that each dot1q interface on the firewall will automatically be part of the EPG, so there is no need for separate EPGs for the firewall.

Another approach is to create L2outs for each VLAN, and then create additional contracts to allow each EPG to communicate with the Firewall.  This is just extra work and doesn't achieve much, but may give you a nice feeling that you have added some "extra" security between the EPs and their default gateway, and IF the following IS a condition:

Communication between all the EPGs in the different BDs should be allowed through contracts and should only be controlled by the firewall.

ie you MUST put contracts in place, then using L2outs would satisfy that condition, but to answer the question 

What will be the best solution for that?

I would suggest that you let that firewall take care of the policy enforcement, otherwise, why are you using the firewall anyway?

Now I have taken a very "Keep It Simple" approach to answering this.  There is another approach known as Policy based Redirect, where you would put the firewall interface in a separate EPG and use the vzAny object.  I've provided links for you to explore that a bit more if you want.

HTH

RedNectar

aka Chris Welsh

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

View solution in original post

9 Replies 9

Go to solution
Claudia de Luna
Spotlight
Spotlight

‎06-17-2017 04:15 AM

[@udo.konstantin]  

When you configure the subnet in the BD in ACI you are effectively configuring the Anycast Gateway (say 1.1.1.1/24) for the subnet.  If the gateway for subnet 1.1.1.0/24 is the firewall then there is no need to configure the gateway in ACI.  In fact  for this configuration I would disable (uncheck) unicast routing.  In this design ACI is simply the layer 2 domain for all the hosts whose gateway is the firewall.   Remember to enable the standard flooding behavior on the BD and I'd recommend also enabling "Limit IP Learning to Subnet".  In this scenario you don't really need contracts since all EPG to EPG communication is via the firewalls.and I'm assuming that is where the policy resides.    Outside of the fabric subnet 1.1.1.0/24 is advertised either via the firewall with dynamic routing or other devices point to the firewall statically to reach subnet 1.1.1.0/24.

Hope this helps!

Go to solution
udo.konstantin
Level 1
Level 1
In response to Claudia de Luna

‎06-17-2017 08:57 AM

Hi Claudia,

this is exactly what I want to know! 

But I have one more question regarding the firewall connection to the ACI fabric:

I assume the firewall will be connected to the fabric with a dot1q trunk. What will be the best practice recommendation? 

Should we place the firewall into a separate EPG? If this is the case I assume vzAny should be used?! 

Thanks 

Udo 

0 Helpful

Go to solution
Claudia de Luna
Spotlight
Spotlight
In response to udo.konstantin

‎06-17-2017 09:43 AM

Hi [@udo.konstantin]  

So I'm making lots of assumptions on your design.  In a  completely non-integrated firewall design (the simplest form of L4-L7 ACI integration which is no integration at all) you make sure the links attach to the fabric with the correct SwProf/IntPol/AEP/PhyDom/VlanPool in Fabric > Access Policies.  In your Tenant i've assumed WEB and APP EPGs/BDs that use the FWL as the gateway and where the FWL does enforcement and inspection.  In this situation each EPG has a static path binding to the physical links of the firewall with the correct encapsulation.  I've tried to draw it out in the attached.  In this scenarios the only way into WEB and APP is via the firewall.  They are "dead ends" so to speak.  If there is an APP2 EPG in the Fabric that has its gateway on the Fabric and endpoints in APP2 need to communicate with say APP or WEB it would have to exit the fabric out its L3 and then get routed to the FWLs which would permit or deny that traffic.  At this point no contracts are needed between any of these EPGs for the flows I've described. Again, this assumes no FWL integration, and static path bindings (if you used L2 Outs then you would need contracts between the WEB EPG and the L2Out "EPG" but since the gateways are on the FWL its doubtful you would do this).  There are other options - 'Un managed" and Manged with a Device Package which changes much of the above!

Preview file
474 KB

Go to solution
udo.konstantin
Level 1
Level 1
In response to Claudia de Luna

‎06-18-2017 08:51 AM

Hello cdeluna  gmonroy  and chriswelsh ,

all your answers was very helpful for me.

I will go ahead and look how to fit your recommendations into our design approach. 

Regards

Udo

0 Helpful

Go to solution
gmonroy
Cisco Employee
Cisco Employee
In response to udo.konstantin

‎06-17-2017 11:13 AM

Udo,

Assuming your configuration truly follows the "Network Centric" approach you mentioned ( 1 VLAN = 1 EPG/BD/Subnet), then you will likely find yourself wanting to extend that very same EPG (via static path binding on that interface) that represents the subnet to the firewall with the flood settings mentioned by Claudia above. There is the l2out configuration on a BD as well, but either should technically accomplish what you seek.

Since your Endpoint to gateway communication flow will be within the same EPG, you will not need to use any contracts to allow this to happen. The assumption will be that if any of these endpoints ever need to get outside of their subnet, the firewall will route appropriately. If they only need to reach within the same subnet, trafic will flood within the BD/EPG.

Also a quick mention: there shouldn't be an immediate need for "Limit IP learning to Subnet" if unicast routing is disabled under the BD. Once Unicast Routing is disabled, we should no longer learn IPs under any EPGs associated to that BD (only MAC).

-Gabriel

Go to solution
RedNectar
VIP
VIP

‎06-17-2017 02:48 PM

Hi Udo

[Edit: Sorry - it looks like I'm a bit late to the table, for some reason my browser didn't show the other answers when I wrote this, so I thought it was unanswered]

Is it necessary to configure the subnet (*.*.*.1) for the BD even if we had the firewall as the default gateway (IP *.*.*.254)

No... but...

If you want the ACI switches to learn the IP addresses of the attached devices, you need to:

  1. Ensure that IP routing is enabled for the BD
  2. Ensure the BD has an IP address

So if DON'T configure the IP subnet on the BD, the ACI fabric will NOT learn the IP addresses of the devices in that BD and therefore you won't see the IP addresses. 

The firewall ist connected through dot1q port to act as the def. gateway for all the subnets within the BDs. Should this a separate EPG?

If you are following the formula One BD = one EPG = one Subnet, then there are a couple of ways to implement the firewall.  The simplest is to statically map each EPG to its corresponding dot1q VLAN on the interface that is connected to the firewall.  That will ensure that each dot1q interface on the firewall will automatically be part of the EPG, so there is no need for separate EPGs for the firewall.

Another approach is to create L2outs for each VLAN, and then create additional contracts to allow each EPG to communicate with the Firewall.  This is just extra work and doesn't achieve much, but may give you a nice feeling that you have added some "extra" security between the EPs and their default gateway, and IF the following IS a condition:

Communication between all the EPGs in the different BDs should be allowed through contracts and should only be controlled by the firewall.

ie you MUST put contracts in place, then using L2outs would satisfy that condition, but to answer the question 

What will be the best solution for that?

I would suggest that you let that firewall take care of the policy enforcement, otherwise, why are you using the firewall anyway?

Now I have taken a very "Keep It Simple" approach to answering this.  There is another approach known as Policy based Redirect, where you would put the firewall interface in a separate EPG and use the vzAny object.  I've provided links for you to explore that a bit more if you want.

HTH

RedNectar

aka Chris Welsh

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

Go to solution
waleedmatter
Level 1
Level 1
In response to RedNectar

‎12-07-2022 01:40 PM

If you are following the formula One BD = one EPG = one Subnet, then there are a couple of ways to implement the firewall.  The simplest is to statically map each EPG to its corresponding dot1q VLAN on the interface that is connected to the firewall.  That will ensure that each dot1q interface on the firewall will automatically be part of the EPG, so there is no need for separate EPGs for the firewall.

 

 

 

 

 

so if i have servers connected to ACI as a layer 2 and the gateway is the FW which connected as a layer 2 and the GW of the servers 

so as per your answer , for example the EPG Application will have three static path one for the server which has the source traffic and second one for the active firewall and third one for the standby firewall to go outside correct ?

 

0 Helpful

Go to solution
ponzki
Level 1
Level 1

‎03-24-2023 03:11 AM

@RedNectarThis may be an old post, but is there any good resource / Cisco documentation regarding this design (ACI as Layer 2 - FW as gateway, w/o subnets defined on BD)?


Thanks!

0 Helpful

Go to solution
RedNectar
VIP
VIP
In response to ponzki

‎03-24-2023 11:39 AM

Hi @ponzki ,

Bit pushed for time ATM - I THINK there may have been something written on the Unofficial ACI Guide blog

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License