Fortinet black logo

Configuring the Cisco APIC management console

Copy Link
Copy Doc ID b2d31294-d72c-11ea-96b9-00505692583a:399477
Download PDF

Configuring the Cisco APIC management console

To configure the deployment on the Cisco APIC management console:
  1. Log in to the Cisco APIC management console.
  2. Configure the BDs:
    1. On the Tenants tab, go to Unmanage > Networking > Bridge Domains.
    2. Configure the App BD:
      1. Click Add Tenant.
      2. In the Name field, enter App.
      3. For IP Data-plane Learning, select yes.

    3. Configure the Web BD:
      1. Click Add Tenant.
      2. In the Name field, enter Web.
      3. For IP Data-plane Learning, select yes.
    4. Configure the Fw-Svc-OneArm BD:
      1. Click Add Tenant.
      2. In the Name field, enter Fw-Svc-OneArm BD.
      3. For IP Data-plane Learning, select no.
  3. Go to Policies. Configure a PBR policy:
    1. Enable Anycast Endpoint. This is required to allow the traffic to flow through either cluster.
    2. Under L3 Destinations, add the PBR IP and MAC addresses. In this case, the addresses are 172.16.1.254 and 00:09:0F:09:70:02, respectively.

  4. Configure an L4-L7 device:
    1. Go to Services > L4-L7 > Devices.
    2. Create a new device.
    3. Ensure that Managed is unselected.
    4. From the Physical Domain dropdown list, select FWDomain_Unmanage.
    5. Under Devices, add the FortiGate. In this example, the device name is FG1101E-1, and the interface is Port1.
    6. Under Cluster Interfaces, add the FGT1101E-1 port1 as a concrete interface and vlan-400 as the encapsulation.

  5. Configure the service graph template:
    1. Go to Services > L4-L7> Service Graph Templates.
    2. Create a new service graph template that goes from the consumer (Web EPG) to the L4-L7 device that you create to the provider (App EPG).
    3. For Firewall, select Routed.
    4. For Route Redirect, select true.

  6. Create a filter:
    1. Go to Contracts > Filters.
    2. Create a new contract.
    3. In the Name field, enter Allow_Any.
    4. Under Entries, configure one entry that allows all traffic.

  7. Configure the contract:
    1. Go to Contracts > Standard.
    2. Create a new contract.
    3. Under Subjects, configure the Allow_Any filter. This contract is now applied between the Web and App EPGs. At this point, when the firewall integration is not configured, the Web and App EPGs can communicate freely without any inspection.
  8. Apply the service graph template:
    1. Under Services > L4-L7 > Service Graph Templates, right-click the service graph template that you created, and select Apply L4-L7 Service Graph Template.
    2. From the Consumer EPG / External Network dropdown list, select the Web EPG.
    3. From the Provider EPG / Internal Network dropdown list, select the App EPG.
    4. For Contract Type, select Select Existing Contract Subject.
    5. From the Existing Contracts with Subjects dropdown list, select Allow_Any.
    6. From the Service Graph Template dropdown list, select FG1101E-OneArm_Unmanage.
    7. Under Consumer Connector, configure the following:
      1. From the BD dropdown list, select Fw-Svc-OneArm.
      2. From the Redirect Policy dropdown list, select FGT-One-Arm-PBR.
      3. Leave the Service EPG Policy field empty.
      4. From the Cluster Interface dropdown list, select int.

    8. Under Provider Connector, configure the following:
      1. For Type, select General.
      2. Configure other fields with the same values as for the consumer connector.
  9. Configure a device selection policy:
    1. Go to Services > L4-L7 > Devices Selection Policies.
    2. Create a new policy.
    3. For the contract, select Any.
    4. For the graph, select FG1101-OneArm_Unmanage.
    5. From the Devices dropdown list, select FG1101E_Unmanage.
  10. Go to Services > L4-L7 > Deployed Graph Instances. Confirm that you can see that the configured service graph has been deployed as configured.

Configuring the Cisco APIC management console

To configure the deployment on the Cisco APIC management console:
  1. Log in to the Cisco APIC management console.
  2. Configure the BDs:
    1. On the Tenants tab, go to Unmanage > Networking > Bridge Domains.
    2. Configure the App BD:
      1. Click Add Tenant.
      2. In the Name field, enter App.
      3. For IP Data-plane Learning, select yes.

    3. Configure the Web BD:
      1. Click Add Tenant.
      2. In the Name field, enter Web.
      3. For IP Data-plane Learning, select yes.
    4. Configure the Fw-Svc-OneArm BD:
      1. Click Add Tenant.
      2. In the Name field, enter Fw-Svc-OneArm BD.
      3. For IP Data-plane Learning, select no.
  3. Go to Policies. Configure a PBR policy:
    1. Enable Anycast Endpoint. This is required to allow the traffic to flow through either cluster.
    2. Under L3 Destinations, add the PBR IP and MAC addresses. In this case, the addresses are 172.16.1.254 and 00:09:0F:09:70:02, respectively.

  4. Configure an L4-L7 device:
    1. Go to Services > L4-L7 > Devices.
    2. Create a new device.
    3. Ensure that Managed is unselected.
    4. From the Physical Domain dropdown list, select FWDomain_Unmanage.
    5. Under Devices, add the FortiGate. In this example, the device name is FG1101E-1, and the interface is Port1.
    6. Under Cluster Interfaces, add the FGT1101E-1 port1 as a concrete interface and vlan-400 as the encapsulation.

  5. Configure the service graph template:
    1. Go to Services > L4-L7> Service Graph Templates.
    2. Create a new service graph template that goes from the consumer (Web EPG) to the L4-L7 device that you create to the provider (App EPG).
    3. For Firewall, select Routed.
    4. For Route Redirect, select true.

  6. Create a filter:
    1. Go to Contracts > Filters.
    2. Create a new contract.
    3. In the Name field, enter Allow_Any.
    4. Under Entries, configure one entry that allows all traffic.

  7. Configure the contract:
    1. Go to Contracts > Standard.
    2. Create a new contract.
    3. Under Subjects, configure the Allow_Any filter. This contract is now applied between the Web and App EPGs. At this point, when the firewall integration is not configured, the Web and App EPGs can communicate freely without any inspection.
  8. Apply the service graph template:
    1. Under Services > L4-L7 > Service Graph Templates, right-click the service graph template that you created, and select Apply L4-L7 Service Graph Template.
    2. From the Consumer EPG / External Network dropdown list, select the Web EPG.
    3. From the Provider EPG / Internal Network dropdown list, select the App EPG.
    4. For Contract Type, select Select Existing Contract Subject.
    5. From the Existing Contracts with Subjects dropdown list, select Allow_Any.
    6. From the Service Graph Template dropdown list, select FG1101E-OneArm_Unmanage.
    7. Under Consumer Connector, configure the following:
      1. From the BD dropdown list, select Fw-Svc-OneArm.
      2. From the Redirect Policy dropdown list, select FGT-One-Arm-PBR.
      3. Leave the Service EPG Policy field empty.
      4. From the Cluster Interface dropdown list, select int.

    8. Under Provider Connector, configure the following:
      1. For Type, select General.
      2. Configure other fields with the same values as for the consumer connector.
  9. Configure a device selection policy:
    1. Go to Services > L4-L7 > Devices Selection Policies.
    2. Create a new policy.
    3. For the contract, select Any.
    4. For the graph, select FG1101-OneArm_Unmanage.
    5. From the Devices dropdown list, select FG1101E_Unmanage.
  10. Go to Services > L4-L7 > Deployed Graph Instances. Confirm that you can see that the configured service graph has been deployed as configured.