I have a pair of ace appliances that I would like to deploy. One of the requiremnts is to balance traffic in DMZ and INSIDE network. The 2 networks are seperated by a Firewall and the firewall connect to DMZ switch and Inside Switch respectively.
My idea is to have the ACE connected to each switch seperately by utilizing 2 port port channel to each the DMZ and the inside switch. I would create a DMZ context and Inside context plus admin context.The port channel connected to the inside switch to carry inside and admin context VLANs and the port channel connected to DMZ switch to carry the DMZ context VLANs. I will allocate DMZ VLANs to DMZ context and Inside VLANs to Inside Context.
Is this doable? How would redundancy be implemented in this design? Would FT vlan configured in admin context take care of redundancy in dmz context? I would assigne management vlan to admin to inside and admin context, would that be suffecient/work (manage the DMZ context using the admin)? Any direction or comments would be greatly appreciated.
Thank you for the reply. I just wanted to test the field of experts here since I have not found design matching to what I am proposing. Is there any other gotchas or problems that can be incurred with this design? Is there a better way of doing it? Thanks again..
There are always a lot of ways to do this. And because of the contexts in ACE you can split the function of your ACE into several virtual ACEs. Sometimes its more a political question then a technical. Because there will be running traffic from DMZ and internal network through the same device. If you have concern about this, you should use 2 different ACE for this.
It is no concern that DMZ and inside sharing the same box. In fact, this is a requirement. You said there are many ways of doing this. What are different ways of doing it other than what I mentioned? Thanks again.
Topology & Design:
Two ACI fabrics
Stretching VLANs using OTV
Both fabrics are advertising BD subnets into same routing domain
Some BDs(or say VLANs) are stretched, but some are not.
Endpoints can move betwee...
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
Topology &Design:Traffic flow within same fabric:Endpoint moves to Fabric-2Bounce Entry Times OutTraffic Black-holedSummarySolutionAppendix:
In the Previous articles of ACI Automation, we are using Postman/Newman a...