Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AmitS
Explorer

Maestro integration with Cisco ACI

Hi Guys,

One of our customer is planning to introduce Maestro setup with Cisco ACI for N-S traffic inspection.

The Meastro setup will be connected to the Border leaf with 2 bonds (bond1: External  & bond2: Internal). diagram attached.

The external connectivity will be L3 whereas the Internal connectivity will be L2, the customer & the ACI team informed us. Also they informed us that the default gateway for the ACI internal network will be the Core switch which will be placed above the Firewall. I would like to know what will be the best possible way to deploy maestro & how is the suggested connectivity. 

Also I would like to understand if my external & internal Network are in different VLAN or same VLAN then can we deploy the Firewall in bridge mode then will there be any issues & what will be dependencies for this?

 

@PhoneBoy @Anatoly 

0 Kudos
12 Replies
PhoneBoy
Admin
Admin

Without knowing any more about the network topology, it's difficult to provide you a precise recommendation.
When dealing with bridge mode, you need to ensure that a single flow is not inspected by the same gateway/virtual system more than once.
See also for general limitations: https://support.checkpoint.com/results/sk/sk101371 

0 Kudos
AmitS
Explorer

@PhoneBoy but can we connect Firewall in the mentioned mode where my Internal is L2 connectivity & external is L3??

Also do let me know what additional details you require.

Attaching Topology

0 Kudos
PhoneBoy
Admin
Admin

The topology diagram provides only connectivity with switches and nothing about security zones or proposed traffic flows involving the gateway.
This information would have to be provided, particularly with respect to the L2 "internal" and L3 "external" and how traffic flows between those two.
It is critical to understand this in order to ensure no "double inspection" occurs, which is not supported.

0 Kudos
Anton_Razumov
Employee
Employee

Amit, could you please clarify?

1) How are you going to split Maestro for External/Internal?

Security groups or Virtual Systems?

2) Are you going to use tight ACI integration?

I mean are you going to use one-arm External Maestro security group or VS configuration and redirect traffic to it using ACI Contract + Service Graph (L3Out)?

Or are you going a traditional way (and in this case it is not so relevant you are using ACI, though you still can ingest objects from ACI for identity-based policy)?

Same for Internal.

 

My personal opinion:

- for External you may use either L3Out integration or a traditional routing

- for Internal I'd suggest one-arm configuration with full integration. In this case you do not need to change customer's topology For him it will look transparent, as he expects from bridge mode. Cisco will take care on redirecting traffic for the inspection to one-arm'ed Maestro.

 

 

0 Kudos
AmitS
Explorer

Hi,

Addressing queries below:

1) How are you going to split Maestro for External/Internal?

Security groups

2) Are you going to use tight ACI integration?

We are using one-arm External Maestro security group Contract + Service Graph (L3Out). As mentioned earlier, Maestro will be connected to Border leaf both Internal Interface & external Interface.

 

 

0 Kudos
AmitS
Explorer

Attaching topology

0 Kudos
Anton_Razumov
Employee
Employee

If you are talking about one-arm deployment, I do not see a big reason to care about "bridge mode".

You may have a special Bridge Domain to put your Security Group interface to it. This BD IP will be a default gateway to reply back.

Probably a full network diagram can help better understand your concerns.

I mean a couple of VLAN's (actually EPGs, right?), relevant Bridge Domains. With "fake" IP addresses. And Contracts between them (Service Graphs will be added later).

It will be more simple to draw the flow (EPG1 connects to EPG2, traffic is redirected to Maestro). Or uSeg EPG if you'd like to inspect traffic within a EPG VLAN.

0 Kudos
AmitS
Explorer

But lets say if my external connectivity is L3 & internal Connectivity is l2 then will that be an issue for my N-S traffic?

 

0 Kudos
PhoneBoy
Admin
Admin

If your internal connectivity is L2 and your external connectivity is L3, how do the packets get from internal to external?
Or do they get from internal to external at all?

A diagram showing security zones and all proposed traffic flows between them involving the gateway will answer a LOT of questions.

0 Kudos
AmitS
Explorer

Hi @PhoneBoy 

Attached is the Network diagram for an AZ. We have decided to configure 2 bonds on Checkpoint (1-Ingress & 2-Egress) these will be L3 interface with IP. the Border leaf will send traffic to CP & CP will route it to Core switches. The Maestro setup will be in Routed mode.

So in such deployment will there be any challenges or is this best practise? All suggestions are Welcomed.

 

0 Kudos
PhoneBoy
Admin
Admin

In terms of basic Layer 2 connectivity, I don't see any issues.
However, I asked two very precise questions:

  • Where are the Security Zones? All I see in this diagram are "servers" which doesn't tell me much.
  • What are the expected traffic flows? Again, all I see are servers here, no "users" no "Internet" or anything else.

The answers to these questions (along with the pertinent security requirements) will impact the ultimate configuration of any gateway (including Maestro).
Without that information, it's difficult to provide additional advice.

0 Kudos
AmitS
Explorer

Response to your questions:

This will be L3 connectivity each bond intf of fw will have IP address assigned.

  • Where are the Security Zones? All I see in this diagram are "servers" which doesn't tell me much. There is NO seperate security zone, this is a private cloud setup where users will be present on the Internet side and they would be accessing their hosted servers in this private cloud.
  • What are the expected traffic flows? Again, all I see are servers here, no "users" no "Internet" or anything else. The expected traffic as mentioned above is that customer who has their server or setup in this private cloud will access those from internet. At the top of the diagram, the clouds shown are Internet. Each customer can have their own tenant or kind of vpc setup same as that of public cloud. For eg. A customer wants to access his serves then this traffic via Internet will land on perimeter routers then on Core switch and then from core switch to border leaf which will inturn redirect traffic to firewall ingress interface (bond1), here fw will inspect traffic as per rules and IPS only and then from egress intf (bond2) will send traffic to border leaf, which will then send traffic to spine switches and then to other leaf switches and atlast to server. This was the N-S traffic flow.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events