Firewalls are deployed in Cisco ACI through
service graphs. A service graph allows you to integrate Layer 4
- Layer 7 devices, such as a firewall, into the flow of traffic
without the need for the L4-L7 device to be the default gateway for
the servers in the ACI fabric.
Firewalls are represented in the ACI fabric as an L4-L7 device
that you configure in the APIC as a device cluster. A single firewall
or two firewalls deployed as an HA pair are configured as a device
cluster. Each device cluster has one or more logical interfaces
that describe the interface information of the device cluster and
map the path of the member firewall with a VLAN from the physical
or virtual machine monitor (VMM) domain.
Service graph templates define the firewall device cluster that
you insert into the traffic flow between EPGs. Additionally, the
service graph template defines the how the firewall is integrated
and the logical interfaces that are assigned to the consumer and
provider EPGs. After creating your service graph template, you assign
it to EPGs and contracts. Because the service graph template is
not tied to a specific EPG or contract, you can reuse it between multiple
EPGs. The APIC then deploys the service graph template by connecting
it to the bridge domain between EPGs.