Deploy the Firewall to Secure North-South Traffic in Network Policy
Use network policy mode to secure north-south traffic
entering and exiting your data center using unmanaged mode with policy-based
redirect. This procedure assumes that you have completed the following:
Firewalls are operational and connected to a leaf switch
in your Cisco ACI environment. Additionally, the management interface
of each firewall must be reachable by the APIC.
Firewalls are deployed in active/passive HA mode. This procedure
does not cover HA network setup and assumes you have completed this
To establish external connectivity to networks outside of your
ACI fabric, you must configure an L3Out. And L3Out is a dedicated
policy that contains the parameters required to connect external
routing devices to a tenant. Additionally, an L3Out contain an external
EPG (called an external network in the APIC UI) that represents
networks accessible through the L3Out. The external EPG is not dynamically
populated and follows a zero-trust model, so you must define the
networks in the EPG. To make configuration easier, you can configure
a network of 0.0.0.0/0 to assign all networks to the external EPG.
To secure inbound traffic, connect your firewall or firewalls
in an HA pair to your border-leaf switches. Border-leaf switches are
leaf switches that provide Layer 3 connections to external routers.
The firewalls peer with the border-leaf switches using the open
shortest path first (OSPF) protocol that is configured on each leaf
switch in the vPC pair and communicates with the firewalls using
a switch virtual interface (SVI). On the firewall, you configure
a virtual router dedicated to the interfaces that connect to your
data center. Additionally, this procedure includes
For outbound traffic, the firewall advertises the external networks
to the border-leaf switches using OSPF. Additionally, the external
network EPG is configured to allow all networks advertised by the
firewall into that EPG. You create a contract between a vzAny managed
object and the external networks EPG to allow traffic from any EPG
within the VRF to reach the external networks through the firewall.
The vzAny managed object allows you to consolidate all EPGs in a
VRF to one or more contracts instead of creating a separate contracts
for each EPG. The EPGs collected in the vzAny managed object consume the
contact provided by the external EPG.
Unlike in service manager mode, management if the ACI infrastructure
and the firewalls is completed separately.