End-of-Life (EoL)

Service Graph Templates

Regardless of you deployment mode, your firewalls are deployed in Cisco ACI through service graphs. A service graph allows you to integrate Layer 4 - Layer 7 devices, such as a firewall, into the flow of traffic without the need for the L4-L7 device to be the default gateway for the servers in the ACI fabric.
Firewalls are represented in the ACI fabric as an L4-L7 device that you configure in the APIC as a device cluster. A single firewall or two firewalls deployed as an HA pair are configured as a device cluster. Each device cluster has one or more logical interfaces that describe the interface information of the device cluster and map the path of the member firewall with a VLAN from the physical or virtual machine monitor (VMM) domain.
Service graph templates define the firewall device cluster that you insert into the traffic flow between EPGs. Additionally, the service graph template defines the how the firewall is integrated and the logical interfaces that are assigned to the consumer and provider EPGs. After creating your service graph template, you assign it to EPGs and contracts. Because the service graph template is not tied to a specific EPG or contract, you can reuse it between multiple EPGs. The APIC then deploys the service graph template by connecting it to the bridge domain between EPGs.
You have three options when using a service graph template to integrate the firewall into the traffic between EPGs.
  • Policy-Based Redirect—Traffic is routed directly to the firewall. This option is used when deploying the firewall in network policy mode.
  • GoTo—The firewall routes traffic between bridge domains. Use this option when deploying a Layer 3 firewall in service manager mode.
  • GoThrough—The firewall bridge traffic between to bridge domains. Use this option when deploying a Layer 2 firewall in service manager mode.

Recommended For You