Cisco Cisco Prime Network Services Controller Adaptor for DFA 产品宣传页
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 6 of 45
Service Policy Creation
After a service node is deployed and integrated into the network, you can configure specific policies that control
filtering or policing (in the case of a firewall), service redirection and load balancing, application server farms, and
other parameters. You can perform this task in a wide variety of ways. Most frequently, application administrators
use a web GUI or a command-line interface (CLI) to specify the necessary configurations. As the demand for more
efficient and automated orchestration tools arise, GUI and CLI may be replaced by APIs, integrated into
orchestrators.
Cisco Unified Fabric Network Integration
With Cisco Unified Fabric, you can manually integrate Firewalls. In addition, you can use the tools built into the
fabric to automate many of the steps for service node integration. In the latter case, the network administrator
needs to provision all relevant network autoconfiguration profiles in Cisco Prime
™
Data Center Network Manager
(DCNM), and the Cisco Unified Fabric will automatically configure an appropriate network profile when the service
node is attached to fabric. The details of planning and deploying of such networking profiles and configurations are
provided in the next section.
Service node integration and service policy creation tasks can be performed manually through the service
appliances GUI, but they can also be automated and orchestrated. Cisco Prime Network Services Controller (NSC)
together with orchestrators such as Cisco UCS
®
Director and OpenStack allow automated deployment of the virtual
service nodes and service policies.
Planning and Configuring Network Autoconfiguration Profiles
This section discusses how to plan, manually create, and deploy network autoconfiguration profiles to integrate
firewall nodes into Cisco Unified Fabric.
Keep in mind as you plan and configure profiles to integrate firewalls into your data center that unlike traditional in
Layer 2 and Layer 3 networks, in Cisco Unified Fabric with optimized networking, hosted workloads gain significant
benefits due to the changes in the forwarding behavior. Following are some of the differences:
●
When Enhanced Forwarding (EF) mode is configured, Address Resolution Protocol (ARP), Generic
Attribute Registration Protocol (GARP), and Neighbor Discovery Protocol (NDP) traffic are contained at the
leaf layer. As a benefit, flood and fault domains are reduced to a single switch port on the leaf node.
(Typically a top-of-rack [ToR] switch is a leaf node.)
●
With Enhanced and Traditional Forwarding modes, Cisco Unified Fabric uses control-plane-based learning,
instead of the data-plane-based learning used in traditional Layer 2 networks. BGP is used to distribute end-
host reachability information.
●
With Enhanced and Traditional Forwarding modes, the default gateway is configured and instantiated on
any of the leaf nodes, where the appropriate workload is connected. That is, the same default gateway
virtual IP address can exist simultaneously on multiple leaf nodes if end hosts using the same network are
attached to multiple leaf nodes.
The Cisco Unified Fabric takes full advantage of common firewall deployment profiles to significantly simplify
deployment of security solutions:
●
Identify the kind of deployment that is required. Following are some sample deployment scenarios:
◦
No firewall, load balancer, or any other Layer 4 to 7 service appliance is deployed. Simple network
connectivity for end hosts needs to be provided.