Thanks so much for this! It helped me figure out the missing piece in my deployment that I was struggling with. I simply forgot to point the default route on the Palos to the service BD's gateway.
great video, very helpfull, I have got one question : can we use the same one arm firewall (or cluster) for filtering north-to-south ? also it would be great to have the same kind of demo with loadbalancer insertion :p
Hi Ralph, Nice overview ! Thx. Question: in the case of vZANY-to-vZANY PBR, you mention that it includes all EPGs related to the VRF. But does it also includes the External-EPG used at the L3OUT ? E.g.: traffic from APP_EPG going to "internet", will it also travers the PBR construct before passing the L3out?
The point here is to pass all internal DC communications between all EPGs through Palo, but with one exclusion: we want Web and Database EPG to talk to each other directly through the fabric (not traversing Palo). So adding the contract between Web and Database without L4-L7 services tells the fabric to treat this communication on the contract base only.
![[HD] Cisco ACI Brownfield Network Centric to Application Centric Migration](http://i.ytimg.com/vi/4gDOsAhCDEE/mqdefault.jpg)
![[HD] Cisco ACI Brownfield Network Centric to Application Centric Migration](/img/tr.png)
Thanks so much for this! It helped me figure out the missing piece in my deployment that I was struggling with. I simply forgot to point the default route on the Palos to the service BD's gateway.
Great video Ralph, super presentation.
Thank you, very useful step by step config
Thank you, very detailed and useful step by step config
Glad you liked it
Ralph, thank you for the effort, very useful video!
Great video,and very clear explanation! Thank you !
Thank you, this was very helpful and informative!
font size is small in topology. can you share jpg file separately. i can't read names of some of constructs.
Question :
Why you have to configure the BD ip address on subnet section?
that is for route leak, right?
Great video and diagram. Could you please share with us what tool you used to build that diagram?
can we connect firewall as a per metal server and put gateway on it and all communication from Fabric went through it.
What if you are using active/standby FW? Do you need select L3 VIP then?
great video, very helpfull, I have got one question : can we use the same one arm firewall (or cluster) for filtering north-to-south ?
also it would be great to have the same kind of demo with loadbalancer insertion :p
Hi Ralph, Nice overview ! Thx.
Question: in the case of vZANY-to-vZANY PBR, you mention that it includes all EPGs related to the VRF.
But does it also includes the External-EPG used at the L3OUT ?
E.g.: traffic from APP_EPG going to "internet", will it also travers the PBR construct before passing the L3out?
Correct, L3out extEPG is also included in vzany
Thank you
Good Day! Why a separate contract was created between the web and the database, why not through Palo Alto?
The point here is to pass all internal DC communications between all EPGs through Palo, but with one exclusion: we want Web and Database EPG to talk to each other directly through the fabric (not traversing Palo). So adding the contract between Web and Database without L4-L7 services tells the fabric to treat this communication on the contract base only.
What is the service bridge domain?
When deploying this use case, the ACI Fabric is the gateway of the servers?
Yes ACI is the default gateway.
@@ralphcarter769 thanks for your reply. Great video.