Configure

Background

The ACI fabric provides for integration of L4-L7 services as an integral part of an application. This is accomplished through the use of an APIC-managed service graph, which requires a L4-L7 device package. The imported device package exposes configuration parameters in APIC, and allows it to orchestrate a given configuration onto the device.

To install the L4-L7 service graph, register a L4-L7 device with the APIC, add its configuration as part of a Function Profile or L4-L7 Service Parameters, and link those two with a service graph. Once you apply this L4-L7 service graph to a contract, the APIC renders it in the fabric by tagging device interfaces and stitching them to appropriate consumer and provider EPGs. The APIC then applies a given configuration to the registered device in an automated fashion. Once all of the configuration is applied to the ACI fabric and the L4-L7 device, the ACI fabric directs traffic defined by the contract to a given device for inspection. The ACI also allows you to chain multiple services together under a single service graph.

Configure Management Access to the ASA

Configure management access to the ASA so that the APIC can manage the ASA.

Procedure

Step 1

Remove any existing configuration.

ciscoasa(config)# clear configure all
Step 2

(Optional) Set the firewall mode to transparent firewall mode.

ciscoasa(config)# firewall transparent
Step 3

Configure the IP address and subnet mask on the management interface. The ASA needs to be on the same subnet as the APIC.

ciscoasa(config)# interface management {0/0 | 0/1}

ciscoasa(config-subif)# ip address ip_address subnet_mask
Step 4

Name the interface "management."

ciscoasa(config-subif)# nameif management
Step 5

Enable the interface.

ciscoasa(config-subif)# no shutdown
Step 6

Enable the ASA HTTPS server.

ciscoasa(config)# http server enable
Step 7

Enable an APIC to access the ASA. Repeat this step for each APIC in the APIC cluster.

ciscoasa(config)# http apic_address 255.255.255.255 management
Step 8

Create the user which the APIC uses to access the ASA. The user is not required to be the management user. Any user is acceptable.

ciscoasa(config)# username username password password privilege 15
Step 9

Create an AAA authentication that allows APIC to have access to the HTTP console using LOCAL authentication.

ciscoasa(config)# aaa authentication http console LOCAL
Step 10

Verify that there is crypto key. If it doesn't exist, generate one using:

ciscoasa(config)# show crypto key mypubkey rsa

ciscoasa(config)# crypto key generate rsa
Step 11

Verify that Encryption-DES and Encryption-3DES-AES are enabled. If they're disabled, generate a new license.

ciscoasa(config)# show version

Configure Jumbo Frame Support

To use Ethernet packets larger than 1500 bytes, configure jumbo frame support.

Procedure

Step 1

Enable jumbo frames.

ciscoasa(config)# jumbo-frame reservation
Step 2

Save the running configuration.

ciscoasa(config)# write memory
Step 3

Reboot the ASA.

ciscoasa(config)# reload

Configure Multiple Context Mode

To configure multi-context mode, see the High Availability and Scalability chapter in the Cisco ASA Series General Operations CLI Configuration Guide for instructions.

The instructions describe how to configure interfaces in system mode, assign them to contexts, and configure the interfaces in each context. Those are all steps that will be done by the device package.

The device package is responsible for allocating and configuring interfaces used in each service graph in multi-context mode. However, the system administrator is responsible for provisioning a multi-context ASA before registering it to the APIC.

Procedure

Step 1

Create the required user contexts. The device package does not create or delete any context.
Step 2

For each context, make the provisioning similar to that for a single-context ASA.

  1. Allocate a management interface to it from the admin context. For example:

    context tenant
allocate-interface Management0/1
config-url disk0:/tenant1.cfg

  2. In the user context, configure the management interface with nameif as management and specify a static IP address. For example: 

    interface management 0/1
nameif management
ip address 10.1.1.1 255.255.255.0
security-level 100

  3. In the user context, enable HTTPS access to the management interface. For example:

    http server enable
http 0.0.0.0 0.0.0.0 management

  4. Set user credentials, and create an AAA authentication that allows APIC to have access to the HTTP console using LOCAL authentication.

    username username password password privilege 15
aaa authentication http console LOCAL

  5. Set up the management route.

  6. Verify that there is crypto key. If it doesn't exist, generate one using:

    show crypto key mypubkey rsa
crypto key generate rsa

Configure an ASA Cluster

ASA clustering lets you group multiple ASAs together as a single, logical device. A cluster provides all the management convenience of a single device, while achieving the increased throughput and redundancy of multiple devices. For more information, see the ASA Cluster chapter of the Cisco ASA Series General Operations CLI Configuration Guide.

By default, the APIC does not touch ASA cluster configuration. You have the option to configure it out-of-band by using the CLI, ASDM, or CSM.

This release of the ASA device package introduces support for configuring ASA clusters using the APIC. The advantages of doing it this way include:

  • Configure cluster parameters on the LDev rather than every CDev. So you only have to enter the parameters once rather than repeating them on every unit. This prevents parameter mismatches between cluster units. The ASA device package can control the order in which to set up or remove the ASA cluster configuration from cluster units when you make such changes from the APIC.

  • The ASA device package auto generates some parameters, such as unit-label, priority, and the management IP address pool. This minimizes the number of configuration tasks by the user to help avoid user error.


Note

We do not recommend using this to work with an existing ASA cluster setup and its configuration.

Before you begin

  • You must use physical ASA units. The virtual ASA does not support clustering.

  • You must have at least two ASA units of the same model running the same software image version and in the same mode (transparent or routed, all in single-context mode or all in multiple-context mode). Do not mix.

  • You must have at least one hardware interface from each ASA designated as a cluster control link.

  • In the ASA, ensure that there is no data interface configured when setting up or removing an ASA cluster.

  • In the APIC, you must remove all service graphs before creating or deleting a cluster configuration.

Procedure

Step 1

In the APIC, register all the ASA units in the cluster as CDevs (concrete devices) under an LDev (logical device).

Note 

The management IP addresses of the ASA units must be contiguous, so that once the ASA cluster is formed, the APIC does not lose connectivity with them. For example, if you have two ASA units, and the first ASA has an IP address of 1.1.1.1, the second ASA must be addressed 1.1.1.3, so that once the ASA cluster is formed, 1.1.1.1 becomes the virtual IP address of the ASA cluster, 1.1.1.2 becomes the local IP address of the first ASA, and 1.1.1.3 remains the local IP address of the second ASA.

For example:
Step 2

Configure the LDev.

Note 

Wait up to 2 minutes for the ASA cluster to be formed. Avoid making any configuration changes until after you can successfully ping the management IP addresses of the cluster units.

For example:
Step 3

The management IP address of the LDev becomes the virtual IP address of the ASA cluster. The primary control unit gets a separate IP address as its local IP address once the cluster is formed. Change the IP address of the CDev representing the primary control unit to the new local IP address. Otherwise, the APIC is not able to monitor the health of the primary control unit if there is a change of primary control unit such as during a failover.

Note 

If you remove the ASA cluster configuration, remember to restore the IP address of the primary control unit to its original value.

For example:

What to do next

To add or delete an ASA unit from the cluster, remove the cluster configuration, add or delete the ASA unit in the APIC, and configure the cluster again.