ACI Firewall Configuration Example - Routed Firewall with L3Out PBR in One Arm Mode¶
Estimated time to read: 7 minutes
- Originally Written: February, 2023
Info
This post uses the Nexus as Code (NaC) project which makes it very easy to configure ACI fabrics through a YAML file . More details and examples can be found at https://developer.cisco.com/docs/nexus-as-code/#!aci-introduction
Example scenario¶
Note
This configuration is also used in the Firewall Migration scenario which can be found here.
https://tl10k.dev/categories/networking/aci/firewall-migration/
- ACI PBR using an L3Out from one EPG through an ASAv to another EPG
- ASAv is configured in routed mode
- The ASAv interface is connected to an L3Out in the ACI tenant
- The client and server VMs are in their own BDs, separate from the firewall BD
- There is a separate VRF on the firewall which allows a default route to send traffic back into the ACI fabric
Why a second VRF?
A new VRF, vrf-pbr, is configured on the firewall. This VRF contains the PBR interface and the default route pointing to 6.6.6.1/24
The new VRF is used because the firewall may already contain a default route pointing to the external network.
Configuration¶
Note
The ACI configuration below is assuming the vCenter integration (VMM, VLAN pool, and AAEP) has already been setup
Nexus as Code¶
Configuration
---
apic:
tenants:
- name: conmurph
managed: false
bridge_domains:
- name: 192.168.100.0_24
alias: migrated-subnet-1
vrf: vrf-01
subnets:
- ip: 192.168.100.1
public: true
l3outs:
- floating-l3out-to-firewall
- name: 192.168.101.0_24
alias: migrated-subnet-2
vrf: vrf-01
subnets:
- ip: 192.168.101.1
public: true
l3outs:
- floating-l3out-to-firewall
- name: 6.6.6.0_24
alias: pbr_bd
vrf: vrf-01
subnets:
- ip: 6.6.6.1/24
application_profiles:
- name: network-segments
managed: false
endpoint_groups:
- name: 192.168.100.0_24
bridge_domain: 192.168.100.0_24
vmware_vmm_domains:
- name: ucsc-c220m5-vds-01
deployment_immediacy: immediate
resolution_immediacy: immediate
u_segmentation: true
- name: 192.168.101.0_24
bridge_domain: 192.168.101.0_24
vmware_vmm_domains:
- name: ucsc-c220m5-vds-01
deployment_immediacy: immediate
resolution_immediacy: immediate
u_segmentation: true
- name: 6.6.6.0_24
alias: pbr_bd
bridge_domain: 6.6.6.0_24
vmware_vmm_domains:
- name: ucsc-c220m5-vds-01
deployment_immediacy: immediate
resolution_immediacy: immediate
- name: network-security-groups
managed: false
endpoint_security_groups:
- name: migrated-subnets
vrf: vrf-01
intra_esg_isolation: true
contracts:
intra_esgs:
- to-firewall-pbr
consumers:
- to-firewall-l3out
epg_selectors:
- application_profile: network-segments
endpoint_group: 192.168.100.0_24
- application_profile: network-segments
endpoint_group: 192.168.101.0_24
filters:
- name: icmp-src-any-to-dst
entries:
- name: src-any-to-dst
ethertype: ip
protocol: icmp
contracts:
- name: to-firewall-pbr
subjects:
- name: icmp
filters:
- filter: icmp-src-any-to-dst
service_graph: conmurph-ftdv-routed-1
- name: to-firewall-l3out
subjects:
- name: icmp
filters:
- filter: icmp-src-any-to-dst
services:
service_graph_templates:
- name: conmurph-ftdv-routed-1
template_type: FW_ROUTED
redirect: true
device:
tenant: conmurph
name: conmurph-ftdv-routed-1
l4l7_devices:
- name: conmurph-ftdv-routed-1
context_aware: single-Context
type: VIRTUAL
vmware_vmm_domain: ucsc-c220m5-vds-01
function: GoTo
managed: false
service_type: FW
concrete_devices:
- name: conmurph-ftdv-routed-1
vcenter_name: <your-vcenter-name> # this is assuming a virtual firewall already setup
vm_name: conmurph-ftdv-routed-1 # name of the virtual firewall VM
interfaces:
- name: client
vnic_name: Network adapter 9 # network adapter on the VM which is used for PBR
logical_interfaces:
- name: client
concrete_interfaces:
- device: conmurph-ftdv-routed-1
interface_name: client
redirect_policies:
- name: client
l3_destinations:
- ip: 6.6.6.2
mac: 00:50:56:a1:2e:9b # MAC address of the network adapter 9 from above
device_selection_policies:
- contract: to-firewall-pbr
service_graph_template: conmurph-ftdv-routed-1
consumer:
l3_destination: true
redirect_policy:
name: client
logical_interface: client
bridge_domain:
name: 6.6.6.0_24
provider:
l3_destination: true
redirect_policy:
name: client
logical_interface: client
bridge_domain:
name: 6.6.6.0_24
l3outs:
- name: floating-l3out-to-firewall
vrf: vrf-01
domain: conmurph.vrf-01
ospf:
area: 0
area_type: regular
node_profiles:
- name: border-leafs
nodes:
- node_id: 101
router_id: 101.2.1.1
- node_id: 102
router_id: 102.2.1.1
interface_profiles:
- name: ucsc-c220m5-vds-01
ospf:
policy: floating-l3out-to-firewall
interfaces: # floating SVI
- node_id: 101
vlan: 500
floating_svi: true
ip: 172.16.100.1/24
paths:
- vmware_vmm_domain: ucsc-c220m5-vds-01
floating_ip: 172.16.100.3/24
- node_id: 102
vlan: 500
floating_svi: true
ip: 172.16.100.2/24
paths:
- vmware_vmm_domain: ucsc-c220m5-vds-01
floating_ip: 172.16.100.3/24
external_endpoint_groups:
- name: all-ext-subnets
contracts:
providers:
- to-firewall-l3out
subnets:
- prefix: 0.0.0.0/1
- prefix: 128.0.0.0/1
policies:
ospf_interface_policies:
- name: floating-l3out-to-firewall
network_type: bcast
FTDv Deployment¶
- This setup may not exactly match your environment and is for example purposes only
- A virtual FTD is used as the firewall
- In this example there's a VM
10.10.103.10outside of the ACI fabric that is connected to the firewall to simulate external traffic. - The FTDv has a default VRF which provides connectivity to the external network
- A second VRF (
vrf-pbr) is configured on the FTDv for the PBR functionality - A default route is configured in the second VRF (
vrf-pbr) to send any traffic received on the PBR link back into the ACI fabric
Verify¶
Info
-
The route table on the left-hand side is for the firewall
defaultVRF (globalin the FMC screenshot above). This provides connectivity to the migrated, legacy, and external networks (via default route0.0.0.0/0). -
The route table on the right-hand side is for the firewall
pbrVRF. Since there is only a single interface in this VRF and therefore only one way in and out, there is a single default route pointing back to the ACI fabric. i.e. once the traffic is sent to the firewall, to get anywhere else it must go back to the ACI fabric. The separate VRFs allow two default routes, one pointing back to the ACI fabric for PBR traffic, and one pointing to the external network for any traffic needing to egress the fabric. -
The third route table is from one of the ACI leaf switches,
aci-dev-01-leaf-102
Resources¶
- https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html
- https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/BRKACI-2644.pdf
- https://www.youtube.com/watch?v=JUUk4h22pHA
- https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.pdf
- https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/guide-c07-743150.html#ACIBDsubnetadvertisement