Service Graph Introduction
Service Graph Introduction:
Service Graph is method through which a Layer 4 to Layer 7 functions or device can be integrated in ACI. This helps ACI to re-direct the traffic between different security zones of FW or load balancer.
With the help of service graph, Security and LB admins can straightly defines Security and LB policies and via APIC, these policies are associated to traffic path between source and destination.
Layer 4 – Layer 7 device can be integrated to ACI with or without service Service graph. But if Service graph is used, it automates the deployment of Layer 4 to Layer 7 service in the network.
Different Management models of Service Graph:
Unmanaged Mode (Network Policy Mode): In this Mode, ACI will configure Network Portion of Fabric and Configuration related to L4-L7 is done by ACI, rather Security or LB admin has to manually configure their devices.
Here brief work area of each admins are given below:
- Network Admin will configure Ports, VLANs etc. to connect to FW or LB
- FW or LB admin will configure their respected interfaces and VLANs
- FW and LB admins will configure ACLs and Other components
Also Network admin will manage only fabric not FW, Security Admin will manages the FW and LB not fabric.
This Mode is used only when FW and LB admin does not allow APIC to configure their device and this L4-L7 device to be used for Traffic redirect or if it is to be appeared as object model, and APIC is not allowed to talk to third party controller.
Managed Mode (Service Policy Mode): in this mode ACI will configure both network portion of fabric as well as config related to L4-L7 device through APIC.
Network Admin will configure the Fabric Security and LB admin will provide the configurations to network admin and Network admin will push these policies to Fabric via APIC as a function profile.
This Mode is used only when FW and LB admin does allow APIC to configure their device and if you want APIC to allocates the VLANs and collect health scores of device and push policy to L4-L7 device upon EPG discovery
Service Manager Mode: In this mode, ACI will configure the Network portion of fabric, L4-L7 VLANS etc. and APIC admins associates these policy defined by Network policy tool.
L4-L4 admin will define the L4-L7 configuration via L4-L7 Mgmt. tool, APIC admin configures the service graph and will reference the L4-l4 policy defined by L4-L7 admin
This Mode is used only when FW and LB admin does not allow APIC to configure their device and this L4-L7 device to be used for Traffic redirect or if it is to be appeared as object model, and APIC is allowed to talk to third party controller
Service Graph Redirect Advantage:
- Default GW will not be now in FW or LB rather it will be on ACI fabric
- Prevent complex design
- Allow to redirect the subnets traffic based on protocols and ports
- Helps in filter traffic between different zones of FW in same L2 domains
Service Graph Advantage:
- It can re-direct traffic to L4-L7 device, while removing all complex design needs
- It automatically manages all VLAN allocations
- It connects to NIC cards of Workloads automatically
- Service Graph configuration templates can be reused multiples times
- Service graph collects statistics from L4-L7 device
- As soon as EPG is discovered, Service Graph updates ACLs and pools automatically.
What is Service Insertion in Cisco ACI:
Service Insertion is configured with Service Graph in ACI. To configure Service Insertion, multiple BD has to be created along with EPG to connect Virtual and physical appliances
Above figure, shows that BD1 has EPG to which outside interface of Router and FW connects. BD2 has EPG to which FW Inside interface and Client Side of ADC is connected. BD3 has EPG to which Service side of ADC and also has multiple EPG for server’s connected by contracts.
What is Service Graph, Functions and Rendering:
Service Graph concepts is slightly different from Service Insertion. Service Graph defines what function or policy to be used when traffic passes from one EPG to another EPG over fabric with contracts associated to it.
If you use Service Graph Redirect along with service Graph, Service Graph will control the movement of traffic to L4-L7 device very effectively.
And with other Service Graph deployment models , it does not control the movement of traffic to L4-L7 device very effectively rather it creates the contracts to prevent the Traffic communication between EPG directly and only those traffic that goes via L4-L7 device is allowed to talk.
In below figure , Service Graph is associated with contracts between two EPGs, This contracts can be associated to Graph 1 which contains FW, or Graph 2 which has ADC or Graph 3 which contains both FW and ADC.
Rendering: When Service Graph is deployed, and is associated to Contracts, ACI will translates the Service Graph definition in to path through FW and Load balancer which is called as Rendering.
L4-L7 parameters are those configuration parameters that are pushed to L4-L7 device. Some of the L4-L7 parameter are:
- Interface IP address /mask
- Routing configuration
- VIP configuration
- Server Farm configuration
- ACL configuration
These parameters will not allocate VLANs to physical interface and vNICs rather ACI dynamically allocates VLANs. If ACI admin wants these L4-L7 parameter should be configured by APIC, Admin has to deploy a plugin called device package of respective device on APIC.
The device package includes the device description, and contains all parameters that has to be used by APIC. It contains the script that allow Cisco ACI to talk to device.
Certain device package allow APIC to configure only Network Portion of L4-L7 device, and rest L4-L7 configuration to be done by L4-L7 Management console. Example: ASA device package.