Regardless of you deployment mode, your
firewalls are deployed in Cisco ACI through service graphs. A service
graph allows you to integrate Layer 4 - Layer 7 devices, such as
a firewall, into the flow of traffic without the need for the L4-L7
device to be the default gateway for the servers in the ACI fabric.
Firewalls are represented in the ACI fabric as an L4-L7 device
that you configure in the APIC as a device cluster. A single firewall
or two firewalls deployed as an HA pair are configured as a device
cluster. Each device cluster has one or more logical interfaces
that describe the interface information of the device cluster and
map the path of the member firewall with a VLAN from the physical
or virtual machine monitor (VMM) domain.
Service graph templates define the firewall device cluster that
you insert into the traffic flow between EPGs. Additionally, the
service graph template defines the how the firewall is integrated
and the logical interfaces that are assigned to the consumer and
provider EPGs. After creating your service graph template, you assign
it to EPGs and contracts. Because the service graph template is
not tied to a specific EPG or contract, you can reuse it between
multiple EPGs. The APIC then deploys the service graph template by
connecting it to the bridge domain between EPGs.
You have three options when using a service graph template to
integrate the firewall into the traffic between EPGs.
Policy-Based Redirect—Traffic is routed directly to the
firewall. This option is used when deploying the firewall in network
GoTo—The firewall routes traffic between bridge domains.
Use this option when deploying a Layer 3 firewall in service manager
GoThrough—The firewall bridge traffic between to bridge domains.
Use this option when deploying a Layer 2 firewall in service manager