Cisco vFTD integration in ACI using PBR Service Graph redirection Lab

Details

Goals & objectives

Hardware & software

Solution overview

The use of a single bridge domain in ACI brings a FW integration challenge as a typical L4-7 service requires a separate bridge domain for each FW interface. Given that a true Application Centric approach typically requires a single bridge domain with multiple subnets, forcing traffic through a FW or LB has a great deal of challenges in the design. By utilizing a service graph and PBR (policy-based redirection), traffic can be redirected from this single bridge domain to a single interface on the FW or LB. A very large caveat is that some FW vendors do not allow traffic to come in and exit the same interface. There are a few vendors that can do this one-armed mode, and we will show you the Cisco Secure Firewall (formerly FTD) -based solution using the virtual Cisco FTD known as the Cisco vFTD.

Lab diagram

Goals and objectives

The goal of this lab is to show the ACI engineer how to integrate a virtual Cisco FTD FW into ACI using PBR redirection.

In this lab you will:

Create New bridge domains and PBR redirection policies.
Create L4-7 devices, service graphs and device selection policies.
Attach service graphs to contracts.
Validate redirected traffic to the Cisco vFTP using the FMC console.

Hardware and software

This will be accomplished by utilizing components in the Cisco ACI product portfolio. The components used include:

ACI running version 4.0 code.
vCenter 6.5.
Cisco vFTD running 6.2.2.
FMC 6.2.2.

Solution overview

Lab diagram

Goals and objectives

Hardware and software

Technologies