Cisco vFTD integration in ACI using PBR Service Graph redirection Lab

Bookmark

4 Launches

Solution Overview

The use of a single bridge domain in ACI brings a FW integration challenge as a typical L4-7 service requires a separate bridge domain for each FW interface. Given that a true Application Centric approach typically requires a single bridge domain with multiple subnets, forcing traffic through a FW or LB has a great deal of challenges in the design. By utilizing a service graph and PBR (policy-based redirection), traffic can be redirected from this single bridge domain to a single interface on the FW or LB. A very large caveat is that some FW vendors do not allow traffic to come in and exit the same interface. There are a few vendors that can do this one-armed mode, and we will show you the Cisco FTD-based solution using the virtual Cisco FTD known as the Cisco vFTD.

Goals & Objectives

The goal of this lab is to show the ACI engineer how to integrate a virtual Cisco FTD FW into ACI using PBR redirection.

In this lab you will:

Create New bridge domains and PBR redirection policies.
Create L4-7 devices, service graphs and device selection policies.
Attach service graphs to contracts.
Validate redirected traffic to the Cisco vFTP using the FMC console.

Hardware & Software

This will be accomplished by utilizing components in the Cisco ACI product portfolio. The components used include:

ACI running version 4.0 code.
vCenter 6.5.
Cisco vFTD running 6.2.2.
FMC 6.2.2.

Technologies

Contributor

Michael Witte

WWT

Technical Architect III, GET- Collaboration & Networking