p002 design
- DC1
- DC2
The diagram above shows only one data-center. The second one is designed in the same way.
We do not want to manage MPLS equipment, so we skip it.
- pa_panorama - Palo Alto Panorama
- apic_aci_dc1 - Cisco APIC
- apic_aci_dc2 - Cisco APIC
We also have PA FWs and ACI leaf/spine switches but we are not going to manage them directly via PSEFABRIC. That is why we don't have them on this list.
We have the next hierarchical segmentation:
- data-center
- area
- zone
- subzone
- zone
- area
Segmentation correspondence for different equipment:
- MPLS between data-centers and between areas
- BGP inside DC
- PA advertises default route towards each ACI VRF
- For each VRF ACI advertises all specific prefixes towards PA
- ACI is a default gateway for all overlay subnets
- ACI contracts
- control only intra-zone (inside the ame zone) inter-subzone traffic
- permit ANY for ACI <-> PA traffic (will be controlled on PA side)
- PA policies
- implemented for all inter-zone traffic and as result due to hierarchical logical segmentation for all inter-area and inter-dc traffic.
- for inter-zone intra-area traffic (inside the same area) one security rule should be created (from source to destination zone)
- for inter-area traffic two security rules should be created
- on the source VSYS: from source zone towards SZ-outside zone with specific source and destination address-groups but with 'any' services/applications
- on the destination VSYS: from SZ-outside zone towards the destination zone with specific source and destination address-groups and specific service/application (if needed)