Manualsbrain.com
  1. Manuals
  2. Brands
  3. Cisco
  4. Cisco Prime Network Services Controller Adaptor for DFA
  5. Leaflet

Cisco Cisco Prime Network Services Controller Adaptor for DFA Leaflet

Download
Page of 45
 
 
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. 
Page 21 of 45 
Case 2b: Unified Fabric with East-West Layer 3 Firewall and Static Routing 
Figure 12.    East-West Layer 3 Firewall with Static Routing Between the Appliance and the Fabric 
 
In the deployment scenario in Figure 12, the Layer 3 east-west firewall resides in the same Layer-2 domain(s) as 
the protected workloads and also acts as a default gateway for the protected networks. Unlike in the previous case, 
there is no dynamic routing adjacency between with the fabric and the firewall, but instead the static routes are 
configured on both the firewall and the leaf to which the firewall is attached.  
Following are some of the configuration parameters for the components: 
● 
Hosts A1 and B1 reside in their respective networks, protected by the firewall. All host networks and outside 
interface networks in this example belong to the same VRF instance.  
● 
Both workloads residing in the networks and the inside interface of the Layer 3 east-west firewall are 
defined by the same network autoconfiguration profile: defaultNetworkL2Profile
● 
Workloads and hosts have to be configured with IP address and default gateway information either statically 
or using a third-party in-band DHCP server. Another option is to configure DHCP relay on the firewall. 
● 
Depending on the firewall capabilities, the inside interfaces can be either configured as separate physical 
interfaces carrying a single IEEE 802.1Q VLAN each, or as one IEEE 802.1Q trunk carrying multiple VLANs 
for each of the protected networks. 
● 
The network to which the outside interface of the firewall is attached should be configured with the 
networking autoconfiguration profile serviceNetworkIpv4TfStaticRoutingFWProfile
2
. The choice of this 
Traditional Forwarding mode profile is dictated by the fact that some of the available firewalls on the market 
show signs of silent-host behavior.  
● 
The Layer 3 east-west firewall is expected to be configured with a static IP address on the outside interface 
wit
h the default route pointed toward the leaf node to which it is attached. The static route’s next-hop IP 
address is gatewayIpAddress, specified in the autoconfiguration profile.  
                                                 
2
 
The serviceNetworkIpv4TfStaticRoutingFWProfile and serviceNetworkIpv4TfStaticRoutingLBProfile profiles are 
equivalent.