Cisco ACI Integration Models
There are two models for integrating the firewall into Cisco ACI—Network Policy mode and Service Manager mode.
Network Policy Mode
In network policy mode, traffic is sent to the firewall with a policy-based redirect (PBR). Additionally, configuration of the firewall and configuration of the APIC are completely separate. Network policy mode does not rely on a device package or any ant configuration integration between the firewall and the APIC, so it provides greater flexibility of configuration and deployment of the firewall.
For East-West traffic, define a bridge domain and subnet in the ACI fabric for the firewall. Configure contracts between EPGs that send traffic to the firewall using a PBR. The PBR forwards traffic to the firewall based on policy containg the firewall’s IP and MAC address. The firewall interfaces are always in Layer 3 mode and traffic is received and routed back to the ACI fabric. You can configure separate interfaces for consumer and provider connections or a single interface for ingress and egress traffic. The procedure in this document uses a single interface because it simplifies the integration; you do not need to configure as many interfaces, IP addresses, or VLANs. However, when using a single interface, you cannot uses zone information in defining security policy and you must modify the default intra-zone policy on the firewall to deny traffic.
For North-South traffic, you must use a dedicated policy called an L3Out. An L3Out contains the information required for the tenant to connect to external routing devices and access external networks. L3Out connections contain an external network EPG that represent the networks accessible through the L3Out policy. Just as the L3Out can group all external networks into a single EPG, you can use a vzAny object ACI to represent all EPGs in a VRF. Using a vzAny object simples the application of the outbound traffic contract because, whenever a new EPG is added to the VRF, the contract is automatically applied. In this scenario, the external network provides the contract and the vzAny object (all internal EPGs) consume it.
Service Manager Mode
Service manager mode allows you to use the Cisco APIC as a single point of configuration for your ACI fabric as well as your Palo Alto Networks firewalls and Panorama.
The following components are required to integrate the Palo Alto Networks firewall into your Cisco ACI environment in service manager mode.
- Panorama—Panorama is required to deploy security policy and objects on the firewall using the APIC. This document assumes that you are using Panorama. You can deploy the firewall without Panorama and APIC will deploy the context (vsys), high availability, and network interface configuration to the firewall but any security policy must be configured directly on the firewall.Panorama acts as a single point of connection between the APIC and the firewalls. Cisco ACI deploys security policy and objects from Panorama to its managed firewalls. The APIC sets devices groups for firewalls based on the APIC configuration and then commits the device groups configuration to the firewall, including security policy, NAT policy, threat profiles, and address objects.Cisco ACI integration supports physical and virtual versions of Panorama.
- Palo Alto Networks Firewall—Cisco ACI integration supports physical firewall appliances and the VM-Series firewall for VMware ESXi (standalone version).Cisco ACI integration supports physical firewalls divided into contexts that the APIC manages as individual firewalls. On hardware-based firewalls, these contexts are the virtual systems (vsys) on the firewalls; each firewall is licensed to support a certain number of vsys instances. When deploying a multi-vsys firewall in ACI, you must configure a chassis manager in the tenant and assign it to the firewall service.
- Cisco APIC—The APIC is your interface for managing your ACI environment. From here, you will create the firewall service, insert the firewall service between endpoint groups, and direct traffic to the firewall.
- Device Package—A device package allows and manages communication between the APIC and Panorama and firewalls. It allows you to configure high availability, networking, and interfaces for the firewall in the APIC and push it to Panorama and the firewalls. Once deployed in ACI, you complete your security configuration through Panorama or the individual firewalls.
The Palo Alto Networks device package version 1.3 requires PAN-OS 8.0 and Cisco ACI 2.3.
Recommended For You
Recommended videos not found.