Deploy the Firewall to Secure North-South Traffic in Network Policy
Mode
Configure the firewall to secure the north-south traffic using the network policy
mode.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
- VM-Series plugin
- Panorama
- VM-Series licenses
- Cisco ACI Fabric
- Panorama plugin for Cisco ACI
|
In this section, you will deploy a firewall in network policy mode to secure north-south traffic
entering and exiting your data center using unmanaged mode with policy-based redirect.
This procedure assumes that you have completed the following:
Firewalls are operational and connected to a leaf switch
in your Cisco ACI environment. Additionally, the management interface
of each firewall must be reachable by the APIC.
Firewalls are deployed in active/passive HA mode. This procedure
does not cover HA network setup and assumes you have completed this
in advance.
To establish external connectivity to networks outside of your ACI fabric, you must configure an
L3Out. And L3Out is a dedicated policy that contains the parameters required to connect
external routing devices to a tenant. Additionally, an L3Out contain an external EPG
(called an external network in the APIC web interface) that represents networks
accessible through the L3Out. The external EPG isn't dynamically populated and follows a
Zero Trust model, so you must define the networks in the EPG. To make configuration
easier, you can configure a network of 0.0.0.0/0 to assign all networks to the external
EPG.
To secure inbound traffic, connect your firewall or firewalls in an HA pair to your border-leaf
switches. Border-leaf switches are leaf switches that provide Layer 3 connections to
external routers. The firewalls peer with the border-leaf switches using the Open
Shortest Path First (OSPF) protocol that is configured on each leaf switch in the VPC
pair and communicates with the firewalls using a switch virtual interface (SVI). On the
firewall, you configure a virtual router dedicated to the interfaces that connect to
your data center. Additionally, this procedure includes
For outbound traffic, the firewall advertises the external networks to the border-leaf switches
using OSPF. Additionally, the external network EPG is configured to allow all networks
advertised by the firewall into that EPG. You create a contract between a vzAny managed
object and the external networks EPG to allow traffic from any EPG within the VRF to
reach the external networks through the firewall. The vzAny managed object allows you to
consolidate all EPGs in a VRF to one or more contracts instead of creating a separate
contract for each EPG. The EPGs collected in the vzAny managed object consume the
contact provided by the external EPG.
Unlike in service manager mode, management if the ACI infrastructure and the firewalls are
completed separately.
On the APIC—
- Create a VLAN Pool and External Routed Domain
- Configure an Interface Policy for LLDP and LACP for North-South Traffic
- Create an External Routed Network
- Configure Subnets to Advertise to the External Firewall
- Create an Outbound Contract
- Create an Inbound Web Contract
- Apply Outbound and Inbound Contracts to the Endpoint Groups (EPGs)
On the firewall—
- Create a Virtual Router and Security Zone for North-South Traffic
- Configure the Network Interfaces
- Configure Route Redistribution and OSPF
- Configure NAT for External Connections
