: Deploy the Firewall to Secure North-South Traffic in Network Policy Mode
Focus
Focus

Deploy the Firewall to Secure North-South Traffic in Network Policy Mode

Table of Contents

Deploy the Firewall to Secure North-South Traffic in Network Policy Mode

Use network policy mode to secure north-south traffic entering and exiting your data center using unmanaged mode with policy-based redirect. This procedure assumes that you have completed the following:
  • Firewalls are operational and connected to a leaf switch in your Cisco ACI environment. Additionally, the management interface of each firewall must be reachable by the APIC.
  • Firewalls are deployed in active/passive HA mode. This procedure does not cover HA network setup and assumes you have completed this in advance.
To establish external connectivity to networks outside of your ACI fabric, you must configure an L3Out. And L3Out is a dedicated policy that contains the parameters required to connect external routing devices to a tenant. Additionally, an L3Out contain an external EPG (called an external network in the APIC UI) that represents networks accessible through the L3Out. The external EPG is not dynamically populated and follows a zero-trust model, so you must define the networks in the EPG. To make configuration easier, you can configure a network of 0.0.0.0/0 to assign all networks to the external EPG.
To secure inbound traffic, connect your firewall or firewalls in an HA pair to your border-leaf switches. Border-leaf switches are leaf switches that provide Layer 3 connections to external routers. The firewalls peer with the border-leaf switches using the open shortest path first (OSPF) protocol that is configured on each leaf switch in the vPC pair and communicates with the firewalls using a switch virtual interface (SVI). On the firewall, you configure a virtual router dedicated to the interfaces that connect to your data center. Additionally, this procedure includes
For outbound traffic, the firewall advertises the external networks to the border-leaf switches using OSPF. Additionally, the external network EPG is configured to allow all networks advertised by the firewall into that EPG. You create a contract between a vzAny managed object and the external networks EPG to allow traffic from any EPG within the VRF to reach the external networks through the firewall. The vzAny managed object allows you to consolidate all EPGs in a VRF to one or more contracts instead of creating a separate contracts for each EPG. The EPGs collected in the vzAny managed object consume the contact provided by the external EPG.
Unlike in service manager mode, management if the ACI infrastructure and the firewalls is completed separately.
On the APIC—
On the firewall—

Recommended For You