Cisco ACI Infra: ASAv (Adaptive Security Virtual Appliance)

Cisco ACI Infrastructure
Integration of ASAv (Adaptive Security Virtual Appliance)

What is Cisco ACI ?
Cisco Application Centric Infrastructure (ACI) is a data center-focused software-defined networking (SDN) solution. Cisco ACI enables the definition of network infrastructure based on network policies, simplifying, optimizing, and expediting the application deployment lifecycle.

What is Cisco Adaptive Security Virtual Appliance (ASAv) ?
Running as a virtual machine inside of a hypervisor on a virtual host is the Adaptive Security Virtual Appliance. Except for clustering and multiple contexts, the most of the functionality that Cisco software supports on a real ASA are also available on the virtual appliance.

The site-to-site VPN, remote access VPN, and clientless VPN features enabled by real ASA devices are supported by the virtual appliance.

Cisco ACI Infra with ASAv
Fig 1.1-Cisco ACI Infra with ASAv

Cisco's ASAv virtual firewall in ACI
Cisco's ASAv virtual firewall will be integrated with the 
Cisco ACI fabric. This means that we will be able to setup the ASAv-supported capabilities from the ACI fabric. The Cisco ACI fabric will configure and manage functions such as setting interface IP addresses, NAT, PAT, object grouping, and ACL for the ASAv firewall.

ASAv is installed as a virtual machine (VM) on one of the ESXi servers in the VM domain. This VM will have Cisco ACI fabric OOB IP reachability. All VM configuration will be pushed from the firewall's OOB reachability.

Deploy ASAv with ACI fabric:
The ASAv device package must be obtained from the Cisco website and installed within the Cisco ACI fabric. This device package will serve as a translator between Cisco ACI and the ASAv VM. 

With the aid of the device package, every ASAv configuration from Cisco ACI will be pushed and understood by VM. The APIC-supported Cisco ACI functions are provided by the Device package.

The ASAv VM must be installed on one of the ESXi hosts. This VM should be OOB reachable from the Cisco ACI fabric. A VM in .ova file format may be downloaded from the Cisco website and installed on any of the network's ESXi hosts.

Creating an L4-L7 device
We may now construct a L4-L7 device of type firewall once the VM is deployed and the device package is loaded in Cisco ACI. In this section, we will describe the ASAv VM and map it to the device package loaded on the Cisco ACI. We also identify the types of interfaces on the firewall and supply an OOB IP address and credentials for logging into the ASAv.

Function Profile
The Function Profile allows the user to build the ACL and define the IP addresses on the ASAv interfaces. A user may also set object grouping and NAT inside a function profile.

Service Graph
The Service Graph Template enables the user to associate the function profile with the L4-L7 device. In this phase, also deploy the firewall between the needed EPGs and setup the contract for the same.

Continue Reading...

Cisco ACI Contracts - The Network DNA
Cisco ACI Default Tenants - The Network DNA
Introduction to Cisco Cloud ACI - The Network DNA
Part 1: 10 Basic interview questions on Cisco ACI - The Network DNA
Cisco ACI: 9 Best Practices while configuring Cisco ACI in your environment - The Network DNA
Updates in Cisco ACI 5.2 - The Network DNA
Cisco 4.1: Cisco ACI Anywhere Basics & Integrations - The Network DNA
OTV as DCI for Cisco ACI Spine-Leaf Architecture - The Network DNA
vPC as DCI for Cisco ACI Spine-Leaf Architecture - The Network DNA
Datacenter Basics : Cisco ACI Multi-Tenant environment - The Network DNA
Cisco ACI Basics : EPG and Contracts - The Network DNA
Basics about Cisco ACI GOLF L3Out - The Network DNA
Cisco ACI- Spine-Leaf Architecture - The Network DNA