ASAv integration in Cisco ACI using PBR Service Graph redirection

3 people launched
Solution Overview
The use of a single bridge domain in Cisco ACI brings a FW integration challenge as a typical L4-7 service requires a separate bridge domain for each FW interface. Given that a true Application Centric approach typically requires a single bridge domain with multiple subnets, forcing traffic through a FW or LB has a great deal of challenges in the design. By utilizing a service graph and PBR (policy-based redirection) traffic can be redirected from this single bridge domain to a single interface on the FW or LB. A very large caveat is that some FW vendors do not allow traffic to come in and exit the same interface. There are a few vendors that can do this one-armed mode and we will show the Cisco ASA-based solution using the virtual Cisco ASA known as the Cisco vASA. 

Goals & Objectives

The goal of this lab is to show Cisco ACI engineers how to integrate a virtual ASA FW into Cisco ACI using PBR redirection.

In this lab you will

  • Create new bridge domains and PBR redirection policies.
  • Create L4-7 devices, service graphs and device selection policies.
  • Attache service graphs to contracts.
  • Validate redirected traffic to the virtual ASA. 

Hardware & Software

  •    Cisco ACI running version 4.0 code
  •    vCenter 6.5
  •    ASAv running 9.6.4
  •    ASDM 7.1