ADC SG-1 Manual do Utilizador descarregar pdf (Página 12)

Reference Architecture | Dynamic L4-L7 Service Insertion with Cisco ACI and A10 Thunder ADC

L4-L7 Service Graph Instances

Application proﬁles deﬁne the policies, services and relationships between EPGs. Each application proﬁle can

contain one or more EPGs that can communicate with the other EPGs in the same application proﬁle and with

EPGs in other application proﬁles according to the contract rules. Application network proﬁles are deﬁned

based on the communication, security and performance needs of the application. They are then used by the

APIC to push the logical topology and policy deﬁnitions down to stateless network hardware in the fabric.

In the Cisco ACI design, the Cisco APIC provides automatic service insertion while acting as a central point of

policy control and manages both the network fabric and services appliances. For service insertion, the APIC

uses an L4-L7 service graph instance, which is essentially an ordered set of service function nodes between a

set of terminals and a set of network service functions that are required by an application. The service graph

instance can be deﬁned by using GUI, CLI or the APIC. Multiple function nodes can be used in a service chain

while creating an L4-L7 service graph. The APIC is responsible for pushing the needed conﬁguration and

security policies to the network switches, routers, ﬁrewalls, load balancers and other infrastructure components

to create the data forwarding path required to force data traﬃc traversal through the service nodes as per the

service graph requirements.

In Figure 11, the L4-L7 service graph example inserts the Cisco ASA Firewall and A10 Thunder ADC

function nodes together in a service chaining configuration to provide firewall capabilities and server load

balancing capabilities respectively between the consumer and provider EPGs. This example from APIC GUI

configuration shows how to create an L4-L7 service graph template and insert various service nodes in the

data forwarding path between the two EPGs. The APIC performs service graph rendering once the L4-L7

service graph template is applied to a security context, and it programs the network infrastructure including

switches, firewall and load balancers.

Figure 11: Service graph creation example

In the section below, we will refer to the simple two-tier application network proﬁle shown in Figure 9 earlier

and go through the various steps of creating an L4-L7 service graph template to connect the web EPG with the

application EPG. Figure 12 shows how an APIC uses the service graph template to render a two-tier application

proﬁle onto the ACI fabric. The process involves interaction with the Nexus 9000 switches and the available

pool of A10 Thunder ADC appliances to insert Thunder ADC server load balancing service between the

application EPG and the web EPG.

1 2 ... 7 8 9 10 11 12 13 14 15 16 17 ... 20 21

Sem comentários

ADC SG-1 Manual do Utilizador Página 12