Implementing Cisco ACI Multi-Pod Solution: Firewall Implementation for External Connectivity

Firewall Implementation for External Connectivity

Question

An engineer designs a Cisco ACI Multi-Pod solution that requires a pair of active-standby firewalls in different pods for external connectivity.

How should the firewalls be implemented?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

D.

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739571.html

In a Cisco ACI Multi-Pod solution, a pair of active-standby firewalls is typically required for external connectivity. The firewalls can be implemented in different ways, including PBR for routed firewalls, separate L3Out peerings for routed firewalls, routed firewall for the default gateway, or transparent firewalls.

A. PBR for routed firewalls: PBR (Policy-Based Routing) can be used to forward traffic to the firewalls for inspection and filtering. This is typically done by defining a policy that matches certain traffic criteria (such as source or destination IP addresses, ports, or protocols) and then forwarding the traffic to the appropriate firewall. The firewall can then process the traffic and forward it back to the ACI fabric.

B. Separate L3Out peerings for routed firewalls: In this approach, the ACI fabric is configured with separate L3Out connections to each firewall. The L3Out connections are typically configured with equal cost multipath (ECMP) routing, so that traffic can be load-balanced across the firewalls. Each firewall is responsible for inspecting and filtering the traffic that is received on its respective L3Out connection.

C. Routed firewall for the default gateway: In this approach, a routed firewall is configured as the default gateway for the ACI fabric. The firewall is responsible for inspecting and filtering all traffic that flows in and out of the fabric. This approach is typically used when there is a single firewall that is capable of handling the traffic volume.

D. Transparent firewalls: Transparent firewalls are used to inspect and filter traffic at Layer 2 without requiring any IP address changes or modifications to the existing network topology. In an ACI Multi-Pod solution, transparent firewalls can be implemented by configuring a bridge domain between the firewalls and the ACI fabric. The bridge domain can then be configured with policies to forward traffic to the firewalls for inspection and filtering.

In summary, the choice of firewall implementation for an ACI Multi-Pod solution depends on the specific requirements of the solution. PBR for routed firewalls, separate L3Out peerings for routed firewalls, routed firewall for the default gateway, or transparent firewalls are all viable options that can be used to provide external connectivity and traffic inspection in the ACI fabric.