Intra-ESG firewall inspection¶
Estimated time to read: 4 minutes
- Originally Written: June, 2024
Info
This post uses the Nexus as Code (NaC) project which makes it very easy to configure ACI fabrics through a YAML file . More details and examples can be found at https://developer.cisco.com/docs/nexus-as-code/#!aci-introduction
Example scenario¶
This is a simple Nexus as Code configuration to have all traffic within a subnet inspected by a firewall. The relevant section of configuration is intra_esg_isolation: true within the ESG configuration block. Behind the scenes you'll see Private VLANs automatically configured on the VMware vSwitch which forces any traffic to the leaf switch where a TCAM rule redirects it to the firewall.
Although we just have a single subnet in this example, the use of ESGs makes adding additional subnets very easy. Just edit the epg_selectors: configuration to include additional second EPGs. Alternatively you could use other selectors such as IP or MAC. This means any endpoint talking to any other endpoint in this ESG will first be sent to a firewall for inspection.
Nexus as Code Configuration
---
apic:
tenants:
- name: conmurph-01
managed: false
vrfs:
- name: vrf-01
bridge_domains:
- name: 192.168.10.0_24
vrf: vrf-01
subnets:
- ip: 192.168.10.254/24
- name: 6.6.6.0_24
alias: pbr_bd
vrf: vrf-01
subnets:
- ip: 6.6.6.1/24
application_profiles:
- name: network-segments
endpoint_groups:
- name: 192.168.10.0_24
bridge_domain: 192.168.10.0_24
vmware_vmm_domains:
- name: mil_11_pod_1_vmm
resolution_immediacy: immediate
u_segmentation: true
- name: 6.6.6.0_24
alias: pbr_bd
bridge_domain: 6.6.6.0_24
vmware_vmm_domains:
- name: mil_11_pod_1_vmm
endpoint_security_groups:
- name: production
vrf: vrf-01
epg_selectors:
- endpoint_group: 192.168.10.0_24
#- endpoint_group: 192.168.20.0_24
intra_esg_isolation: true
contracts:
intra_esgs:
- intra-esg-production
filters:
- name: src-any-to-dst
entries:
- name: src-any-to-dst
ethertype: unspecified
contracts:
- name: intra-esg-production
subjects:
- name: permit-any
filters:
- filter: src-any-to-dst
service_graph: conmurph-ftdv-routed
services:
service_graph_templates:
- name: conmurph-ftdv-routed
template_type: FW_ROUTED
redirect: true
device:
tenant: conmurph-01
name: conmurph-ftdv-routed
l4l7_devices:
- name: conmurph-ftdv-routed
context_aware: single-Context
type: VIRTUAL
vmware_vmm_domain: mil_11_pod_1_vmm
function: GoTo
managed: false
service_type: FW
concrete_devices:
- name: conmurph-ftdv-routed
vcenter_name: mil1_vcenter
vm_name: conmurph-ftd-1
interfaces:
- name: client
vnic_name: Network adapter 3 # network adapter on the VM which is used for PBR
logical_interfaces:
- name: client
concrete_interfaces:
- device: conmurph-ftdv-routed
interface_name: client
redirect_policies:
- name: client
l3_destinations:
- ip: 6.6.6.2
mac: 00:50:56:B6:F3:02 # MAC address of the network adapter 3 from above
device_selection_policies:
- contract: any
service_graph_template: conmurph-ftdv-routed
consumer:
l3_destination: true
redirect_policy:
name: client
logical_interface: client
bridge_domain:
name: 6.6.6.0_24
provider:
l3_destination: true
redirect_policy:
name: client
logical_interface: client
bridge_domain:
name: 6.6.6.0_24
Verification¶
