Configure
Background
The ACI fabric provides for integration of L4-L7 services as an integral part of an application. This is accomplished through the use of an APIC-managed service graph, which requires a L4-L7 device package. The imported device package exposes configuration parameters in APIC, and allows it to orchestrate a given configuration onto the device.
To install the L4-L7 service graph, register a L4-L7 device with the APIC, add its configuration as part of a Function Profile or L4-L7 Service Parameters, and link those two with a service graph. Once you apply this L4-L7 service graph to a contract, the APIC renders it in the fabric by tagging device interfaces and stitching them to appropriate consumer and provider EPGs. The APIC then applies a given configuration to the registered device in an automated fashion. Once all of the configuration is applied to the ACI fabric and the L4-L7 device, the ACI fabric directs traffic defined by the contract to a given device for inspection. The ACI also allows you to chain multiple services together under a single service graph.
Register the FTD Appliance
Before you register the FTD device with the APIC, add its FMC management station as an APIC Device Manager. In this hybrid service graph model, the APIC and the FMC share full responsibility for the FTD configuration. The APIC provisions configuration of the interfaces, IP addresses, security zones, BVIs, and NGIPS inline pairs, while the FMC defines the threat policies and rules that govern communication between EPGs. Add the FMC as a device manager, and register your FTD appliance with the APIC in order to utilize it in a service graph.
Note | One FMC can be used as a device manager for multiple FTD devices provisioned for multiple service graphs. |
-
Configure the APIC Communication Policy to allow HTTP communication.
-
Configure either a Virtual Machine Manager or Physical Domain.
-
Configure a tenant. The steps in this section require an existing tenant.
What to Do Next
If you select your FTD device under L4-L7 Devices, it should show a ‘stable’ state if the APIC was able to register it properly. If it was unable to reach your FMC or find a registered FTD with a given IP adress on the FMC, an error is displayed. Refer to the Troubleshoot section to understand and resolve L4-L7 device faults. Ensure that your FTD device is in a ‘stable’ state before creating a service graph with its L4-L7 configuration.
Create a Service Graph
A service graph is an ordered set of function nodes between a set of terminals, which identifies a set of network service functions that are required by an application. Service functions within a graph are automatically provisioned on a service device that is based on an application's requirements.
After you register an appliance, you can create service graphs using that appliance and all the functions that appliance has exposed. The service graph can be created under the common tenant or can be tenant-specific. This can be done by the provider administrator or by the tenant administrator within its own tenancy.
To insert an FTD as a service function, the service graph template needs to be created using the FTD Function Node.
Step 1 | Sign in to the APIC. | ||
Step 2 | Navigate to a common tenant or specific tenant. | ||
Step 3 | In the navigation pane, expand the L4-L7 Services branch, and click L4-L7 Service Graph Templates. | ||
Step 4 | Select Actions > Create L4-L7 Service Graph Template.
| ||
Step 5 | Complete the Graph Name field with the name of the service graph. | ||
Step 6 | Drag and drop an FTD service function from the left pane to the right pane to add that function to the service graph. | ||
Step 7 | Change the name of the node. | ||
Step 8 | Select the type of firewall mode, Routed or Transparent, based on your deployment. | ||
Step 9 | Select a profile for the service node. Select a function profile in the default templates that come with the device package or that you created before. | ||
Step 10 | Click Submit to create the graph. The Service Graph dialog box should list the new graph that you created. |
Apply a Service Graph Template
The APIC automatically configures services according to the service function requirements that are specified in the service graph. The APIC also automatically configures the network according to the needs of the service function that is specified in the service graph; no change in the service device is required.
The APIC passes the parameters to the appliance script within the device package. The appliance script converts the parameter data to the configuration that is downloaded onto the appliance. It assumes application profile, EPGs, and contract exists under a specific tenant to associate a created service graph.
Complete the following steps to associate a service graph with a contract.
Configure a tenant.
Configure an application profile with EPGs.
Step 1 | Sign in to the APIC. |
Step 2 | On the menu bar, click Tenants. |
Step 3 | In the navigation pane, expand the tenant's folder tree. |
Step 4 | Expand the L4-L7 Services > L4-L7 Service Graph Templates branch to show the service graph templates. |
Step 5 | Right-click the service graph template of your choice, and in the pop-up menu that appears, click Apply L4-L7 Service Graph Template. |
Step 6 | In the Step 1 Contract dialog box, select the Consumer and Provider EPGs. |
Step 7 | Create a new contract, or choose an existing contract subject. Enter a name for the new contract. Click Next. |
Step 8 | In the Step 2 Graph dialog box, select the bridge domains (BDs) and Cluster Interfaces. Click Next. |
Step 9 | In the Step 3 Parameters dialog box, click the All Parameters tab. |
Step 10 | Configure the parameters based on your deployment. You can define a function profile based on a built-in template and use that in this step. See the sections on Supported Functions and FTD Deployments. Click Finish to attach the contract to the service graph. |
What to Do Next
Once the service graph is instantiated, verify that the APIC pushed the provisioned configurations to the FTD interfaces into the FMC correctly.
Also, verify that end points can communicate to each other using the provisioned FTD.
Supported Functions
This section describes the exposed functionality supported by the FTD for ACI device package.
Note | An asterisk ("*") indicates that the option is required. Otherwise, it's optional. |
Note | The GraphDeploymentSuffix is "_<Tenant Name>_<Device Name>" and gets appended to a value where specified below. |
Note | For any unsupported FTD feature, we recommended that you clean up the configuration manually before removing a service graph or deleting the tenant. |
Function |
Parameter |
Options |
Description |
||||
Access Policy |
*Name |
<name> |
Name of the access policy.
|
||||
*Access Rules |
*Name |
<name> |
Name of the access rule.
|
||||
Source Interface |
Reference to Interface Object Security Zone |
||||||
Destination Interface |
Reference to Interface Object Security Zone |
||||||
Bi-directional |
true | false |
If set to true, applies both Security Zones under Access Rule Source and Destination Zones. Otherwise, Security Zones are individually applied Source and Destination fields. |
|||||
Security Zone |
*Name |
<name> |
Name of the security zone. Also, APIC folder name of the security zone object, so that other APIC objects can reference it. The APIC internally adds a GraphDeploymentSuffix to the name. For example, if you select a Security Zone name of External, on the FMC you'll see a Security Zone named External_<Tenant Name>_<Device Name>.
|
||||
*Type |
INLINE | ROUTED | SWITCHED |
Type of the security zone. A mismatched security zone type and interface type are not allowed. It's based on deployment mode. |
|||||
Inline Set |
*Name |
<name> |
Name of the inline set. Also, APIC folder name of the inline set object, so that other APIC objects can reference it. The APIC internally adds a GraphDeploymentSuffix to the name. For example, if you select an Inline Set name of External, on the FMC you'll see an Inline Set named External_<Tenant Name>_<Device Name>.
|
||||
*MTU |
<integer> |
MTU property of the Inline Set. |
|||||
*Snort Fail Open Busy |
true | false |
Snort Fail Open Busy property of an Inline Set. |
|||||
*Snort Fail Open Down |
true | false |
Snort Fail Open Down property of an Inline Set. |
|||||
Interface |
*Name |
<name> |
APIC folder name of the interface object. |
||||
*Enabled |
true | false |
Enable property of the interface. |
|||||
*MTU |
<integer> |
MTU property of the interface. |
|||||
*Logical Name |
<name> |
Logical name of the interface (optional unless Inline). The APIC internally adds a GraphDeploymentSuffix to the name. For example, if you select a Logical Name of External, on the FMC you'll see a Logical Name of External_<Tenant Name>_<Device Name>.
|
|||||
*Inline Set |
Inline Set Object |
Reference link to the APIC Inline Set folder object. |
|||||
*Security Zone |
Security Zone Object |
Reference link to the APIC Security Zone folder object. |
|||||
*IPv4 |
*static |
*address |
IPv4 address with subnet mask |
Applies only to routed interfaces. Values are the IPv4 address with a subnet mask. For example, 1.1.1.1/24 |
|||
Bridge Group Interface |
*Name |
<name> |
APIC folder name of the bridge group interface. The APIC internally adds a GraphDeploymentSuffix and other information to the description. |
||||
*IPv4 Address Configuration |
*static |
*address |
IPv4 address with subnet mask |
Applies only to transparent interfaces. Values are the IPv4 address with a subnet mask. For example, 1.1.1.1/24 |
|||
*Bridge Group ID |
<integer> |
||||||
*Interfaces |
Reference link to the APIC interface folder object. |
FTD Deployments
This section describes the function profile configuration changes required for the various deployment modes. All three modes require you to reference the appropriate access control policy or rules:
-
Verify that the Access Policy name is set correctly.
-
Verify that the Access Rules under the Access Policy are set correctly, with source and destination Security Zone mappings pointing to the correct interfaces. Ensure that the Bi-directional flag is set to apply both interfaces' Security Zones to Access Rule Source and Destination Zones.
Transparent Mode
Select the default function profile CISCO-FTD_FI-1.0/TransparentModeForFTD and:
-
Verify that the Bridge Group ID (
) is a unique number. Set the Bridge Group Interface IP address, and ensure the interfaces are configured correctly. -
Verify that the Security Zone name (
) is set correctly and its type is set to SWITCHED. -
Verify that the Logical Name of the Interface is unique (
). Ensure that the Enabled flag is set to true and the Security Zone is mapped correctly.
Routed Mode
Select the default function profile CISCO-FTD_FI-1.0/RoutedModeForFTD and:
-
Verify that the Security Zone name (
) is set correctly and its type is set to ROUTED. -
Verify that the Logical Name of the Interface is unique (
). Ensure that the Enabled flag is set to true and the Security Zone is mapped correctly. Set the Interface IP address.
Inline Mode
Select the default function profile CISCO-FTD_FI-1.0/InlineModeForFTD and verify:
-
Verify that the Inline Set name (
) is set correctly. -
Verify that the Security Zone name (
) is set correctly and its type is set to INLINE. -
Verify that the Logical Name of the Interface is unique (
). Ensure that the Enabled flag is set to true and the Inline Set and Security Zone are mapped correctly.