Manualsbrain.com
  1. 份说明书
  2. 个品牌
  3. Cisco
  4. Cisco Prime Network Services Controller Adaptor for DFA
  5. 产品宣传页

Cisco Cisco Prime Network Services Controller Adaptor for DFA 产品宣传页

下载
页码 45
 
 
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. 
Page 16 of 45 
Case 1b: Unified Fabric with Tenant-Edge Firewall and Static Routing 
Figure 8.    Tenant-Edge Firewall with Static Routing Between the Appliance and the Fabric 
 
In the deployment scenario in Figure 8, just as in the previous scenario, the Layer 3 tenant-edge firewall acts as 
the ultimate gateway for a given VRF instance. However, in the deployment scenario in Figure 8, the tenant-edge 
firewall does not have any dynamic routing protocol running, but rather has static routes to promote protected 
network reachability. This difference also dictates a choice of different profiles. Nevertheless, any traffic destined 
for or coming from the protected VRF instance has to pass through the Layer 3 tenant-edge firewall. The protected 
VRF instance can include one or more networks configured with network autoconfiguration profiles that include the 
ESProfile suffix in their names.  
Here are some of the configuration parameters for the components: 
● 
Hosts A1 and B1 reside in their respective networks, where both networks are part of the VRF instance 
protected by the tenant-edge firewall.  
● 
Cisco Prime DCNM is prepackaged with a variety of autoconfiguration profiles that can be used in this 
scenario. When configuring networks for the workloads protected by the tenant-edge firewall, make sure 
that the network autoconfiguration profile includes the keyword ESProfile. All network autoconfiguration 
profiles with this keyword are listed in Table 2 at the end of this section. 
● 
The network profiles with the required keyword include a special partition profile: vrf-common-ES. This 
profile includes a static default route in which the next-hop IP address is the inside interface of the tenant-
edge firewall. This routing helps ensure that any traffic that originates from a configured VRF instance uses 
the tenant-edge firewall, which serves as the ultimate gateway for all incoming and outgoing data flows. 
● 
The VRF-specific default route in the partition profile is defined by the command ip route 0.0.0.0/0 
$include_serviceNodeIpAddress, where the $include_serviceNodeIpAddress variable is defined during 
creation of the partition in Cisco Prime DCNM (creation of the VRF instance) as shown in the Figure 5.  
● 
Workloads and hosts must be configured with IP address and default gateway information, either statically 
or by using the DHCP relay function on leaf nodes, similar to the configuration described in Case 1a.