Cisco ACI Integration

SOLVED
Don_Wells
Here to help

Cisco ACI Integration

We're in the midst of migrating from our traditional network to Cisco ACI. We have 2 MX250s configured as a warm-pair. Has anyone had experience connecting their Security Appliances into the Cisco ACI Fabric/Topology? Thank you. Don
1 ACCEPTED SOLUTION
TWoz
Meraki Employee
Meraki Employee

Hi Don,

 

Any MX HA pair relies on the VRRP heartbeat for successful communication. This is regardless of other technologies in play in the deployment. As long as the MX can send and receive VRRP traffic form the peer it will operate as expected. 

If my post answered your question please click the Kudos button below. additionally,
please update this thread to solved so others can benefit from it

View solution in original post

6 REPLIES 6
TWoz
Meraki Employee
Meraki Employee

Hi Don,

 

Any MX HA pair relies on the VRRP heartbeat for successful communication. This is regardless of other technologies in play in the deployment. As long as the MX can send and receive VRRP traffic form the peer it will operate as expected. 

If my post answered your question please click the Kudos button below. additionally,
please update this thread to solved so others can benefit from it

After further discovery, The L4-L7 integration in ACI functions much like many 'API type' GUI interface for firewall management. A familiar example for everyone would be ASDM in ASA management. However, the ACI integration is not as effective as using ASDM, which lacks even some control only available via CLI.
Short story, the package does not exist because it is unnecessary and would be less effective than the existing Cloud Management or API Dashboard that is already available.

Hopefully this saves someone else the time it took to understand the relationship. Thanks to all with their insights!

Don
CptnCrnch
Kind of a big deal
Kind of a big deal

APart from that: I have never heard of an ACI device package for Meraki MX. So I'd guess the answer is "no".

That seems like a bit of a misstep by Cisco since they own both technologies. You'd think that they'd want to create an ACI Device Package for integrating their own L4-L7 Service Appliances.

RedneckofTech
New here

You don't need a device package and this should work fine...device package is certainly nice but can introduce some complexity as well depending on your use case.  If you are generally static without a ton of change (spinning workloads up and down etc.) then you can just use it as you would any other firewall and leverage policy in the ACI fabric to direct traffic to it.  Here's a good example of how:https://community.cisco.com/t5/data-center-documents/aci-unmanaged-mode-configuration-example-using-...


@RedneckofTech wrote:

You don't need a device package and this should work fine...device package is certainly nice but can introduce some complexity as well depending on your use case.  If you are generally static without a ton of change (spinning workloads up and down etc.) then you can just use it as you would any other firewall and leverage policy in the ACI fabric to direct traffic to it.  Here's a good example of how:https://community.cisco.com/t5/soundcloud downloader data-center-documents/aci-unmanaged-mode-configuration-example-using-asav-in-routed/ta-p/3313318


Thanks for the thorough explanations, I appreciate it.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.