Cisco ACI and L4–L7 Integration
A Layer 4 to Layer 7 (L4–L7) service device is a functional component that is connected to a fabric, such as a firewall, intrusion prevention system (IPS), or load balancer. Traditionally, when you insert services into a network, you must perform a highly manual and complicated VLAN (Layer 2) or VRF instance (Layer 3) stitching between network elements and service appliances. APIC can automate service insertion while acting as a central point of policy control. Cisco ACI enables you to insert L4–L7 functions using a concept called a service graph. Using the service graph, Cisco ACI can redirect traffic between security zones to a firewall or a load balancer, without the need for the firewall or the load balancer to be the default gateway for the servers. Cisco ACI can selectively send traffic to L4–L7 devices based, for instance, on the protocol and the Layer 4 port. Firewall inspection can be transparently inserted in a Layer 2 domain with almost no modification to existing routing and switching configurations. Cisco ACI also allows you to increase the capacity of L4–L7 devices by creating a pool of devices to which Cisco ACI can distribute traffic. The Cisco APIC policies manage both the network fabric and services appliances. The Cisco APIC can configure the network automatically so that traffic flows through the services.
The Cisco ACI allows you to define a sequence of meta-devices, such a firewall of a certain type followed by a load balancer of a certain make and version. This is called a service graph template, also known as an abstract graph. When a service graph template is referenced by a contract, the service graph template is instantiated by being mapped to concrete devices such as the firewall and load balancers present in the fabric. The mapping happens within the concept of a context. The device context is the mapping configuration that allows Cisco ACI to identify which firewalls and which load balancers can be mapped to the service graph template. A logical device represents the cluster of concrete devices. The rendering of the service graph template is based on identifying the suitable logical devices that can be inserted in the path defined by a contract.
The following is the outline of the service graph workflow, as illustrated in Figure 9-8:
Figure 9-8 Service Graph Configuration Workflow
Define an L4–L7 device (for example, the ports to which the device is connected).
Create a service graph template that defines the flow of the traffic.
Apply the service graph template to a contract between two EPGs.
Create a device selection policy that ties the intended logical device to a service graph template and contract.
Configure the firewall and the load balancers with all the necessary rules for security and load balancing, such as ACL configuration, server farm configuration, and so on.