Friday, April 3, 2020

Cisco ACI: Okay to mix dmz and intranet?

I've seen a few videos and docs that describe it being done, but was wondering about those who actually use ACI to day to day in their data centers.

We have a fairly mature and stable production ACI system for our intranet server infrastructure, and I was wondering if I could extend this to our DMZ servers. All of the traffic forwarding between DMZ tiers would be handled by firewalls. ACI switch fabric would be doing purely L2 and L2-extension. Zero routing and no contracts. Also, all of the AppProf/EPG/VRF/BD would be contained within a separate tenant in ACI as well.

I would rather not stand up a whole separate fabric for this, and the stretched layer2 would be critical for delivering dmz capability where there's lack of internet infrastructure.

Any thoughts? Safe to do?



No comments:

Post a Comment