@PhoneBoy but can we connect Firewall in the mentioned mode where my Internal is L2 connectivity & external is L3??

Also do let me know what additional details you require.

Attaching Topology

The topology diagram provides only connectivity with switches and nothing about security zones or proposed traffic flows involving the gateway.
This information would have to be provided, particularly with respect to the L2 "internal" and L3 "external" and how traffic flows between those two.
It is critical to understand this in order to ensure no "double inspection" occurs, which is not supported.

Hi,

Addressing queries below:

1) How are you going to split Maestro for External/Internal?

Security groups

2) Are you going to use tight ACI integration?

We are using one-arm External Maestro security group Contract + Service Graph (L3Out). As mentioned earlier, Maestro will be connected to Border leaf both Internal Interface & external Interface.

Attaching topology

If you are talking about one-arm deployment, I do not see a big reason to care about "bridge mode".

You may have a special Bridge Domain to put your Security Group interface to it. This BD IP will be a default gateway to reply back.

Probably a full network diagram can help better understand your concerns.

I mean a couple of VLAN's (actually EPGs, right?), relevant Bridge Domains. With "fake" IP addresses. And Contracts between them (Service Graphs will be added later).

It will be more simple to draw the flow (EPG1 connects to EPG2, traffic is redirected to Maestro). Or uSeg EPG if you'd like to inspect traffic within a EPG VLAN.

But lets say if my external connectivity is L3 & internal Connectivity is l2 then will that be an issue for my N-S traffic?

If your internal connectivity is L2 and your external connectivity is L3, how do the packets get from internal to external?
Or do they get from internal to external at all?

A diagram showing security zones and all proposed traffic flows between them involving the gateway will answer a LOT of questions.

Hi @PhoneBoy 

Attached is the Network diagram for an AZ. We have decided to configure 2 bonds on Checkpoint (1-Ingress & 2-Egress) these will be L3 interface with IP. the Border leaf will send traffic to CP & CP will route it to Core switches. The Maestro setup will be in Routed mode.

So in such deployment will there be any challenges or is this best practise? All suggestions are Welcomed.

In terms of basic Layer 2 connectivity, I don't see any issues.
However, I asked two very precise questions:

• Where are the Security Zones? All I see in this diagram are "servers" which doesn't tell me much.
• What are the expected traffic flows? Again, all I see are servers here, no "users" no "Internet" or anything else.

The answers to these questions (along with the pertinent security requirements) will impact the ultimate configuration of any gateway (including Maestro).
Without that information, it's difficult to provide additional advice.

Response to your questions:

This will be L3 connectivity each bond intf of fw will have IP address assigned.

• Where are the Security Zones? All I see in this diagram are "servers" which doesn't tell me much. There is NO seperate security zone, this is a private cloud setup where users will be present on the Internet side and they would be accessing their hosted servers in this private cloud.
• What are the expected traffic flows? Again, all I see are servers here, no "users" no "Internet" or anything else. The expected traffic as mentioned above is that customer who has their server or setup in this private cloud will access those from internet. At the top of the diagram, the clouds shown are Internet. Each customer can have their own tenant or kind of vpc setup same as that of public cloud. For eg. A customer wants to access his serves then this traffic via Internet will land on perimeter routers then on Core switch and then from core switch to border leaf which will inturn redirect traffic to firewall ingress interface (bond1), here fw will inspect traffic as per rules and IPS only and then from egress intf (bond2) will send traffic to border leaf, which will then send traffic to spine switches and then to other leaf switches and atlast to server. This was the N-S traffic flow.