Manualsbrain.com
  1. 份说明书
  2. 个品牌
  3. Cisco
  4. Cisco Prime Network Services Controller Adaptor for DFA
  5. 产品宣传页

Cisco Cisco Prime Network Services Controller Adaptor for DFA 产品宣传页

下载
页码 45
 
 
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. 
Page 13 of 45 
Case 1a: Unified Fabric with Tenant-Edge Firewall and Dynamic Routing Protocol (OSPF) 
Figure 4.    Tenant-Edge Firewall with Dynamic Routing Between the Appliance and the Fabric 
 
In the deployment scenario in Figure 4, the Layer 3 tenant-edge firewall acts as an ultimate gateway for a given 
VRF instance: that is, any traffic destined for or coming from the protected VRF instance has to pass through the 
Layer 3 tenant-edge firewall. Dynamic routing adjacency between the fabric and the firewall is expected on both 
the inside and outside interfaces using the OSPF routing protocol. Protected VRF instances can include one or 
more networks configured with the network autoconfiguration profiles that include the suffix ESProfile in their 
names, where ES stands for edge service. 
Following are some of the configuration parameters for the components: 
● 
Hosts A1 and B1 reside in their respective networks; both networks are part of the VRF instance protected 
by the tenant edge firewall.  
● 
Cisco Prime DCNM is prepackaged with a variety of autoconfiguration profiles that can be used in this 
scenario. When configuring networks for the workloads protected by the tenant-edge firewall, make sure 
that the network autoconfiguration profile name includes the keyword ESProfile. All network 
autoconfiguration profiles with this keyword are listed in Table 2 at the end of this section. 
● 
The network profiles with the required keyword include a special partition profile: vrf-common-ES. This 
profile includes a static default route in which the next-hop IP address is the inside interface of the tenant-
edge firewall. This routing helps ensure that any traffic originating from hosts in a configured VRF instance 
pass through the tenant-edge firewall, which serves as the ultimate gateway for all incoming and outgoing 
data flows. 
● 
The VRF-specific default route in the partition profile is defined by the command ip route 0.0.0.0/0 
$include_serviceNodeIpAddress, where the $include_serviceNodeIpAddress variable is defined during 
creation of the partition in Cisco Prime DCNM (creation of the VRF instance), as shown in Figure 5.