Service insertion for ASA

Antonio Macia · ‎10-29-2019

Hi,

We are considering service insertion for the migration to ACI as the first step before moving to network-policy or service-policy.

We have an active/standby physical ASA pair where each sub-interface is the gateway for the BD and EPG (network-centric mode).

When doing service insertion, routing between networks under each sub-interface is clear, however, for the fabric routed networks, how does ACI route the traffic towards the networks behind the ASA? Because the device is not connected as an L3out, there is no routing protocol distributing the networks into the fabric. How is this achieved?

On the other hand, does the service graph in network-policy mode allows multiple ASA sub-interfaces or just two physical interfaces?

Regards.

Antonio Macia · ‎10-31-2019

No one can help here?

6askorobogatov · ‎10-31-2019

OK, let's take a look at that from 100,000 ft. To do service insertion you need a CONTACT. That is where service insertion goes to : Contact's subject. Let's say you have a contract with 2 subjects, one for ICMP and another one for TCP, You can send TCP to a firewall for inspection and let ICMP go direct. You may have TCP ALL in a contract and use ACL in FW ,or specify ports in a contract and use FW for inspection only.

Now, in a "textbook" deployment you have a firewall with one interface on the special "service" BD with L3 interface. That BD should have IP dataplane learning disabled. FW has a default gateway pointing to SVI of the BD. You need to config L4-7 services and add service graph to a contract. In order to let packets to reack FW you have to use BPR - policy based redirect in policies/protocol/L4-7 PBR, where you specify FW IP and MAC or the FW VIP.

L4-L7 is relativity well documented by Cisco.

6askorobogatov · ‎10-31-2019

BTW, the way how your current network is configured, BD without L3 interfaces and FW attached to EPG and used as a default gateway, has nothing to do with network vs. application centric. It's L2 implementation with ACI with routing outside of the fabric. I would say, firstly you need to move L3 to ACI, configured contracts between EPGs and then implement service graph L4-7 where needed.

Antonio Macia · ‎11-02-2019

Hi,

Let me explain so we all are on the same page. Our current data center design has some of the VLANs using the ASA's sub-interfaces as gateway, while others are routed by the Nexus 5596. As the first step in the ACI migration, we need to keep the same topology (network-centric), we cannot migrate the hundreds of ASA rules to contracts yet.

I've read the Service Graph Design White Paper and watched the BRKACI-2506 session and, from the different methods, two could fit for the migration: service insertion or redirect in network mode (no service mode nor service managed).

In the first case, I'm not able to understand how the fabric can reach the networks behind the ASA when the BD is not gateway and hence, the subnets are not learned by the fabric like in an L3out for example.

For the redirect case, during the L4-L7 physical device configuration, you select the physical fabric ports that connect to the trunk ASA interfaces and give them a name for later usage at the contract. Later, when creating the contract between two different EPGs you select those interfaces, however, these are physical, not the sub-interfaces so, how would the ASA endpoints reach their corresponding gateway at the sub-interface?

Hope I've explained my self better.

6askorobogatov · ‎11-03-2019

In a nut shell, there are 3 ways you can connect a FW wit ACI.

1. Add FW as a static Node to EPG and make is a default gateway (or more specific routes) pointing the FW IP.

That is your current config, if I got it right. In this case ACI acts as a L2 switch, nothing more.

2. Create 2 VRFs , attach BD to VRFs with L3 interfaces, and insert FW between 2 VRFs via L3Outs. In this case what is behind FW will be define in L3out routes and Net-EPGs. You also need a contract / Preferred Group / unrestricted VRF to make endpoint EPG talks to Net-EPG

3. Have 2 BD with L3 interfaces. Have corresponding EPGs bound to each BD. Have a contract(s) allowing traffic between EPGs. Create L4-L7 service insertion FW. Create PBRs to direct traffic to the FW, Add FW L4-L3 graph and BPR to desirable subjects on the contract(s).

Other words, before you move your L3 interface on the BDs to ACI, there will be no L4-L7.

Also, word of advice, if you have many granular rules in the FWs, you may want to keep then and not to convert to a contracts. ACI contracts are not substitution for a FW for many reasons. Also you need to remember that TCAM table is not unlimited.