Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3291
Views
0
Helpful
8
Replies

Cisco ACI L4-L7

Go to solution
PTA90
Level 1
Level 1

‎03-28-2020 04:01 AM

Hello guys, 

I have a question as follows:

can I  integrate checkpoint firewall into ACI in one-arm mode to make L4-L7 SG with PBR for east-west and north-sourth traffic?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Hector Gustavo Serrano Gutierrez
Cisco Employee
Cisco Employee

‎03-28-2020 04:21 AM - edited ‎03-28-2020 04:24 AM

Hi,

 

As already mentioned in this post, yes, it is supported (assumptions: unmanaged mode. Firewall in Routed mode)

 

"If you want to use the same PBR node and its interfaces, you can reuse the service graph template, L4-L7 device, PBR policy, and device selection policy. In this example, traffic is redirected to FW-one-arm if it is between the L3Out EPG and the Web EPG (North-South), or between the Web EPG and the App EPG (East-West)(Figure 44)"

 

Figure 44.

white-paper-c11-739971_44.png

A high level configuration example:

Here is a configuration example (Figure 45):

●     Contract (Tenant > Security Policies > Contracts)

◦     Contract1:     Between L3Out EPG and Web EPG

◦     Contract2:     Between Web EPG and App EPG

●     L4-L7 device (Tenant > L4-L7 Services > L4-L7 Devices)

◦     PBRnode1 has one cluster interface

◦     FW-one-arm

●     Service graph template (Tenant > L4-L7 Services > L4-L7 Service Graph Templates)

◦     FWGraph1:   Node1 is the firewall function node that is PBR enabled

●     PBR policies (Tenant > Networking > Protocol Policies > L4-L7 Policy Based Redirect)

◦     PBR-policy1 (172.16.1.1 with MAC A)

●     Device selection policy (Tenant > L4-L7 Services > Device Selection Policies)

◦     any-FWGraph1-FW (If FWGraph1 is applied to any contract, the firewall function node will be this node.)

◦     Node: PBRnode1

◦     Consumer: FW-one-arm with PBR-policy1

◦     Provider: FW-one-arm with PBR-policy1

Configuration example: Reuse the same PBR node (using the same interface)

Figure 45.     

Configuration example: Reuse the same PBR node (using the same interface)

 

Source:

Cisco Application Centric Infrastructure Policy-Based Redirect Service Graph Design White Paper

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.html

View solution in original post

0 Helpful
8 Replies 8

Go to solution
dijarvrella
Level 1
Level 1

‎03-28-2020 04:15 AM

Hi there,

 

Yes there is an option to add checkpoint as either a managed or unmanaged mode. For version compatibility please check the following link:

 

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/solution-overview-c22-734587.html

 

Dijar

0 Helpful

Go to solution
Hector Gustavo Serrano Gutierrez
Cisco Employee
Cisco Employee

‎03-28-2020 04:21 AM - edited ‎03-28-2020 04:24 AM

Hi,

 

As already mentioned in this post, yes, it is supported (assumptions: unmanaged mode. Firewall in Routed mode)

 

"If you want to use the same PBR node and its interfaces, you can reuse the service graph template, L4-L7 device, PBR policy, and device selection policy. In this example, traffic is redirected to FW-one-arm if it is between the L3Out EPG and the Web EPG (North-South), or between the Web EPG and the App EPG (East-West)(Figure 44)"

 

Figure 44.

white-paper-c11-739971_44.png

A high level configuration example:

Here is a configuration example (Figure 45):

●     Contract (Tenant > Security Policies > Contracts)

◦     Contract1:     Between L3Out EPG and Web EPG

◦     Contract2:     Between Web EPG and App EPG

●     L4-L7 device (Tenant > L4-L7 Services > L4-L7 Devices)

◦     PBRnode1 has one cluster interface

◦     FW-one-arm

●     Service graph template (Tenant > L4-L7 Services > L4-L7 Service Graph Templates)

◦     FWGraph1:   Node1 is the firewall function node that is PBR enabled

●     PBR policies (Tenant > Networking > Protocol Policies > L4-L7 Policy Based Redirect)

◦     PBR-policy1 (172.16.1.1 with MAC A)

●     Device selection policy (Tenant > L4-L7 Services > Device Selection Policies)

◦     any-FWGraph1-FW (If FWGraph1 is applied to any contract, the firewall function node will be this node.)

◦     Node: PBRnode1

◦     Consumer: FW-one-arm with PBR-policy1

◦     Provider: FW-one-arm with PBR-policy1

Configuration example: Reuse the same PBR node (using the same interface)

Figure 45.     

Configuration example: Reuse the same PBR node (using the same interface)

 

Source:

Cisco Application Centric Infrastructure Policy-Based Redirect Service Graph Design White Paper

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.html

0 Helpful

Go to solution
PTA90
Level 1
Level 1
In response to Hector Gustavo Serrano Gutierrez

‎03-28-2020 04:53 AM

thanks everyone!

0 Helpful

Go to solution
PTA90
Level 1
Level 1
In response to Hector Gustavo Serrano Gutierrez

‎03-28-2020 05:28 AM

I have one more question:
can i connect one-arm to aci from firewall to aci using PC / vPC or connect to ACI by single physical interface?

0 Helpful

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni
In response to PTA90

‎03-28-2020 05:51 AM

Hi,

Yes you can use vpc for one-arm deployments. Example:

vpc.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Cheers,

Sergiu

0 Helpful

Go to solution
PTA90
Level 1
Level 1
In response to Sergiu.Daniluk

‎03-28-2020 06:01 AM

Hi msdaniluk, thank so much!

0 Helpful

Go to solution
PTA90
Level 1
Level 1
In response to Hector Gustavo Serrano Gutierrez

‎03-28-2020 05:46 AM

I have one more question:
can i connect one-arm to aci from firewall to aci using PC / vPC or connect to ACI by single physical interface?
0 Helpful

Go to solution
tuanquangnguyen
Level 1
Level 1

‎03-28-2020 04:39 AM

If you ask on a Cisco community, the answer is that you can - you would be pointed out with the instruction and white paper on how to do so. Be aware of the anti IP spoofing configuration on the L4-L7 side.

 

If it's CheckPoint, you also are strictly required to configure a virtual MAC since even on Active/Standby, both nodes use their own interface MAC addresses to associate with the active IP. If failover happens without a vMAC, it would break your L4-L7 PBR policy.

 

On some others like Palo Alto or Cisco FirePower/ASA, the failover node will use both the MAC and IP of the previously active node so you're only recommended to configure vMAC as per best practice. But if you forgot to, or if you're integrating with the existing setup, you can just leave it as it is.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License