Cisco Cisco Prime Network Services Controller Adaptor for DFA 产品宣传页
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 25 of 45
Network Autoconfiguration Profile Name and Configurable Options
Use Case
Configurable options also include partition profile vrf-common-ES, which
promotes injection of the static default route with the next-hop IP address
equal to the gateway IP address” defined during creation of the parent partition
as shown in Figure 5: ip route 0.0.0.0/0 $include_serviceNodeIpAddress.
promotes injection of the static default route with the next-hop IP address
equal to the gateway IP address” defined during creation of the parent partition
as shown in Figure 5: ip route 0.0.0.0/0 $include_serviceNodeIpAddress.
That is, all data traffic that needs to leave from the current VRF will have to be
funneled through the tenant-edge firewall.
funneled through the tenant-edge firewall.
Tenant-Edge Firewall Deployment Example with Cisco Unified Fabric
Sample Scenario
The sample scenario presented here builds a multitenant spine-and-leaf data center for a technology company
named ABC that has the following departments:
●
Sales
●
Finance
●
Research and development (R&D)
The core business of this company is a knowledge technology, so business requirements dictate the use of a
dedicated firewall that filters any ingress and egress traffic from workloads in the R&D department.
Translating the business requirements into lower-level technical details, Company ABC can represent an
organization construct in the Cisco Prime DCNM LDAP database, and each department can be represented by a
partition construct. Each of the partitions constitutes a VRF instance in the fabric for the subsequently included
member networks.
The tenant-edge firewall deployment model is well suited to
the customer’s requirements.
During the network security design process, the customer determined that the R&D department should be secured
using two physical firewalls configured in an active-standby pair: that is, both firewalls would be up and running, but
only one of them at a time would be actively engaged in enforcing network security.
Depending on the available features and capabilities of the firewall, the standby unit can maintain routing
adjacencies, but start advertising network reachability information only in an event that the active unit fails. For
example, Cisco Adaptive Security Appliances (ASA) with Cisco ASA Software Release 9.3 or later support such a
configuration and are used as a reference in this deployment example
).
Each firewall has four 10-Gbps links, for a total of 40 Gbps of forwarding capacity.
The customer decided to dedicate two 10-Gbps links of a given firewall for ingress and two 10-Gbps links for the
egress direction, with each of the port pairs bundled into IEEE 802.3ad LACP. These firewalls also support
dynamic OSPF routing protocol, and each firewall will have a total of six adjacencies:
●
Two OSPF adjacencies with each of the SVI interfaces reachable through the inside vPC+ interface
●
Two OSPF adjacencies with each of the SVI interfaces reachable through the outside vPC+ interface
●
Additional optional adjacencies between respective inside interfaces and respective outside interfaces of
the active and standby firewalls (may be needed if the firewall vendor requires such configuration)