Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1298
Views
10
Helpful
1
Replies

DummyQ: Add an ACL entry on existing sevice-graph

Go to solution
leo.espinosa
Level 1
Level 1

‎04-10-2019 09:02 AM

Hi,

Let's say we have an ASAv inserted on a Sevice graph in routed mode, currently allowing HTTP bettwen two EPGs App and Web.

 

What changes i have to apply to add another protocol (HTTPS) between the two EPGs. Do i have to modify the existing contract and add an ACL to the ASA?

 

Leo

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Remi Astruc
Level 1
Level 1

‎04-10-2019 01:34 PM

Hi Leo,

Basically, the answer to your question is Yes.

But you may have to think about your contracts design.

It seems that you perform the protocol security control in the ACI contract and in the FW. Unless you have very strict governance reason to do it, that leads to operational headache, error-prone changes, and scalability limitations.

You'd better allow all IP traffic in your contract filter and manage protocol security in the FW.

If you need a flow not to be FWed, you can always add a more specific contract without Service Graph.

 

Remi Astruc

 

View solution in original post

1 Reply 1

Go to solution
Remi Astruc
Level 1
Level 1

‎04-10-2019 01:34 PM

Hi Leo,

Basically, the answer to your question is Yes.

But you may have to think about your contracts design.

It seems that you perform the protocol security control in the ACI contract and in the FW. Unless you have very strict governance reason to do it, that leads to operational headache, error-prone changes, and scalability limitations.

You'd better allow all IP traffic in your contract filter and manage protocol security in the FW.

If you need a flow not to be FWed, you can always add a more specific contract without Service Graph.

 

Remi Astruc

 

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License