End-of-Life (EoL)
This section describes the creation of a tenant, application profile, and firewall service in Cisco ACI.
Create a Tenant and Application Profile
You must create a tenant to contain the application and firewall service. The tenant contains the virtual routing and forwarding (VRF) object, endpoint groups, and application profile.
Create a tenant, VRF, and two bridge domain. Login to the APIC UI. Select Tenant > Add Tenant. Enter a Name for your tenant. Enter a VRF Name for your VRF. Verify that Take me to this tenant when I click finish is checked. Click Submit. You will be redirected to Tenants > <your tenant> > Networking where you will add bridge domains. Click and drag the bridge domain (BD) icon next to the icon of the VRF you named previously. This action opens the Create Bridge Domain window. Enter a Name for your bridge domain. Click Submit. Repeat steps 7 through 9 for your second bridge domain.
Create an Application Profile with two endpoint groups (EPG). Each EPG must correspond to one of the bridge domains you created previously. In the APIC UI, select Tenants and double click on the tenant you created previously. Right click on Application Profiles and select Create Application Profile. Enter a Name for your Application Profile. Click the plus (+) icon under EPGs to add an EPG. Enter a Name for your EPG. Select a bridge domain. Select a domain for the EPG. If you choose a virtual domain (VMM), you do not need to provide any further information for the EPG. However, if you choose a physical domain, you need to specify a static path. The static path is the physical port on a leaf switch that the firewall is connected to. This mapping was determined when you created you ACI Fabric and deployed the firewall.
Create a Device Manager. The device manager is your Panorama. Select L4-L7 Services. Right click Device Managers and select Create Device Manager. Enter a Name for the device manager. From the Device Manager Type drop-down, select the option that corresponds the with the Palo Alto Networks device package you installed. Click the plus (+) icon under Management and enter the management IP address of Panorama and port 443 because HTTPS is used to connect to Panorama. Click Update. Enter the username and password for Panorama. Click Submit.
(Optional) Create a Chassis. A chassis is required to deploy multi-context firewalls (vsys). Without a chassis, APIC always configures the default vsys (vsys1). Select L4-L7 Services. Right click Chassis and select Create Chassis. Enter a Name for the chassis. Enter a username and password and confirm the password. APIC never uses the username and password entered for the chassis, so the values entered are irrelevant but requested by the APIC. The chassis must exist and is set as the chassis for the firewall device. This instructs APIC to use a vsys other than the default vsys (vsys1).
Create an L4-L7 Service
Now that you have created your tenant with an application profile containing two EPGs, you must configure the firewall as a L4-L7 Service and insert that service between the EPGs. The firewall service then secures the traffic between the EPGs.
Create an L4-L7 Service
Enter general information about the firewall.
Right click L4-L7 Devices and select Create L4-L7 Devices. Enter a Name for your firewall service. Select Firewall from the Service Type drop-down. Under Device Type, select Physical or Virtual depending on the firewall you deployed. Select the Physical or VMM Domain. This is the same domain you chose when creating the application profile. Under View, select Single Node for a single firewall or HA Node for firewalls in an HA pair. Select the Device Package. Select the Model of the firewall you deployed. The device package comes preset with several Palo Alto Networks firewall models. Set Context Aware to Multiple for multi-vsys deployments. Under Function Type, select GoThrough for L2 and GoTo for L3. Choose a connectivity mode for APIC to device management connectivity. This setting defines how Cisco APIC connects to the firewall and to Panorama management interfaces. Choose the setting most appropriate for your environment. If the management interfaces of the firewall and Panorama have not been added to an EPG, then you would typically choose Out-Of-Band. Out-Of-Band management is recommended. Enter the login credentials for the firewall. Enter the firewall’s administrator username. Enter the administrator password then repeat the password to confirm.
Configure device 1 (the firewall). Enter the firewall management IP address and select HTTPS as the management port. (VM-Series Only) Under VM, select the VM-Series firewall you deployed. All virtual machines connected to the ACI fabric are listed here. (Physical Firewall Only) Select a Chassis. This directs the firewall to create a new vsys and apply the configuration from the APIC there. Without a chassis selected, APIC applies its network configuration to vsys1 and potentially overrides any configuration that already exists on vsys1. Click the plus (+) icon under Device Interfaces to add your interfaces. For the VM-Series firewall, select ethernet 1/1 as the first data port and Network adapter 2 as the vNIC. vNIC network adapter 1 is reserved for the firewall management port. For physical firewalls, in addition to select the ethernet port, you must also specify a path. The path is the physical port on a leaf switch that the firewall is connected to. This mapping was determined when you created you ACI Fabric and deployed your firewall.
Configure the cluster. A cluster is a group of up to two identically configure L4 to L7 devices. The firewall(s) within the cluster are called concrete devices. Enter the Management IP Address. This is the same IP address as device 1. Set the Management Port to HTTPS. Set the Device Manager to Panorama. Set the Cluster Interfaces. The cluster interfaces define which side of the firewall is internal and which side is external. Set the Type of the first interface to consumer (typically external) and give it a Name. Select a Concrete Interface from the drop-down. You defined the interfaces on this list when you configured in the interfaces for device 1. Set the Type of the second interface to provider (typically internal) and give it a Name. Select a Concrete Interface from the drop-down. Click Next to proceed to the Basic parameters tab.
Configure basic parameters of the firewall. In a single, non-HA firewall deployment, only the Basic Parameters under Device Settings are required. Expand the Device Settings folder. Click DNS Server (primary) and enter a Name in the Name column and an IP address in the Value column. Click Update. Click Firewall Hostname and enter a hostname in the Value column. APIC automatically populates the Name column with hostname. Click Update. Click Finish. The parameters under All Parameters are optional.
Verify that your L4-L7 Device was deployed successfully. Select Tenants > <your tenant> > L4-L7 Services > L4-L7 Devices and select the cluster you created. Under Configuration State, the Device State proceeds through several states including init, verificationPending, auditPending, and finally stable. If the Device State does not reach stable state or shows any state not listed above, select Faults to determine the problem and follow the presented directions to resolve the problem.
Create and Deploy a Service Graph Template
After creating Panorama and your firewall, you must create a service graph template. A service graph defines the service that the L4-L7 device (the firewall) provides. Complete the following procedure to create and apply a service graph.
Create and Apply a Service Graph
Create a Service Graph template. Select Tenants > <your tenant> > L4-L7 Services and right click on L4-L7 Service Graph Templates. Click Create L4-L7 Service Graph Template. Enter a Graph Name. Click and drag a device cluster from Device Cluster table and place it between the two EPGs to create a service node. Set the firewall function to Routed (L3/GoTo) or Transparent (L2/GoThrough) depending on how you configured your device. Select the profile that matches the device package and function you configured previously. Click Submit.
Apply the Service Graph Template. Parameters indicated with a red box are required.
Select Tenants > <your tenant> > L4-L7 Services and right click on the service graph template you created above. Click Apply L4-L7 Service Graph Template. Select a consumer EPG from the Consumer EPG/External Network drop-down. Select a provider EPG from the Provider EPG/Internal Network drop-down. Enter a Contract Name. Click Next. Click Next again on Step 2 of this wizard. Click on All Parameters. This displays all the parameters that APIC will send to the firewall. Create two zones. Click the + icon next to Interface Security Zone. Enter a Name for the zone. Set the Mode to Layer 2 or Layer 3. Repeat these steps for the second zone. Configure two data interfaces for the firewall. Expand Interface Configuration. Select and expand Layer 2 Interface or Layer 3 Interface based on your deployment. Enter the interface’s IP address with subnet mask. Click Security Zone and specify one of the security zones you created previously. Repeat these steps for the second interface. Create a Panorama device. Expand Security Configuration. Enter a Name for the device group. Select Function Config > Security Configuration. In Security Configuration Binding, set the SecurityConfigRel value to SecurityConfig. Click Finish. The APIC is now deploying the configuration to the firewall and Panorama. Use Panorama or the firewall web UI to verify the deployment of the network interface configuration and device group configuration. The device is now inserted in the network, configured, and ready to pass traffic.

Recommended For You