These are my study notes on the Cisco ACI L4-7 service insertion topic.


ACI L4-7 (read “Layer four to seven”) Service Insertion is the process of introducing L4-7 services in the data path of a packet in ACI fabric, independently of the phyisical location of the L4-7 device itself.

  • The L4-7 services can be:
    • packet filtering services
    • packet inspection services
    • NAT services
    • intrusion detection/ intrusion prevention services
    • load balancing services
  • the L4-7 services are performed by the following devices:
    • Firewalls: Cisco ASA, Palo Alto, Fortinet, etc.
    • Load Balancers: f5, Citrix, etc.
    • IPS: Cisco Firepower, etc.
  • We call interchangeably the following terms:
    • L4-7 device
    • service device
    • function device
  • By inserting a service device it is not meant the physical cabling of a service device, but rather the insertion of the function performed by the device within the data path between two EPGs.inserting a service device can be:
    • manual or
    • automated through a service graph

ASA Cluster

  • A cluster is composed of a Master Switch and slave Switches. The Master Switch provides the configuration for the Slaves.

L4-7 Management Modes

We manage the connected L4-7 devices in either one of the following modes:

Managed Mode

  • a complete horizontal integration is performed.
  • ACI pushes policies to the device and redirects traffic to it.
  • advantage of providing company-wide consistent policies and avoid potential human-introduced errors
  • advantage of deploying the L4-7 services anywhere in the fabric without caring about the physical location of the device.
  • if the device provides contexts, then access to the admin context must be configured on ACI.
  • ACI dynamically manages VLAN assignment
  • ACI collects statistical data such as health scores

Unmanaged Mode

Policies are not managed by ACI. They are created by a the L4-7 device administrator

ACI L4-7 Service Insertion Modes

in ACI we insert a L4-7 service device in either of the following modes:

Service Policy Mode

  • this mode uses a device package
  • this is the full integration of the L4-7 device with ACI fabric. The L4-7 device and its VLANs are configured by ACI The device package is developed by the third-party vendor and includes two files:
    • an XML files describing the capabilities of the device, and
    • a python file describing the integration with ACI.

Service Manager Mode

security policies are defined on the L4-7 device by its own administrator. Then the policies are integrated and orchestrated by ACI

Network Policy Mode

aka the “no device package or service manager” mode: the L4-7 device is completely managed by its own administrator. ACI administrator only creates the necessary VLANs.

This modes is helpful in “political” environments, where each department still wants to completely manage its equipement.

Service Graphs

  • (is mapped to concrete devices?)
  • is a collection of Abstract Nodes
  • to invoke it between two EPGs, attach it to a subject in the contract provided/consumed by the EPG

Meta device

  • is a symbolic representation of the L4-7 device that is connecting to the fabric
  • its function, whether it is a firewall, or a load balancer or else, is defined in the Abstract Node

Logical Device (LDev)

  • is a cluster of two or more Concrete Devices

Concrete Device (CDev)

  • is a one-to-one representation of the physical L4-7 device
  • Interfaces of the Concrete Device (vnsCIf) represent one-to-one the interfaces of the real device but in the format {slot_port}, like interface 1_2 or interface 1_4
  • Each Interface on the Concrete Device maps to an interface on the Logical Device (LIf)

Connecting the L4-7 Service Device to the ACI Fabric

the L4-7 device connects to the fabric:

  • through a direct L3 peering or
  • through a L3 Out connection.

ASA Firewall Service Insertion

  • Before inserting an ASA firewall function, we must create a virtual context on the box.The service device will refer later to this virtual context and not the whole ASA physical device.
  • if ASA is configured in a cluster, we insert the firewall service in ACI as a single node, because ACI sees the ASA cluster as a single logical device.
  • By the way, although the virtual ASA (vASA) appliances may see an obvious choice, only clustering of physical ASA firewalls is supported on ACI.
  • In ACI, ASA clustering must occur over the same port channel or the same vPC. No clustering over multi Pods is supported.
  • ASA clustering uses spanned Etherchannel.
  • ASA can be inserted in:
    • go-through mode: in this case we call the ASA a L2 firewall or a transparent firewall.
    • go-to mode: in this case we call the ASA a L3 firewall.
  • A manual insertion of ASA works only in go-to mode. For the manual insertion we need 2 VRFs, 2 Bridge Domains, mapping the external and the internal firewall interfaces to an L3 Out each.
  • If one of the Bridge Domains is set up as L2 only, then the other Bridge Domain learns the IP and MAC addresses of the L2-Bridge Domain too.

ASA Failover in ACI

Originally, ASA supports the failover mechanism over a configured physical interface and VLAN, which is considered an out-of-band failover network.

However, it is possible to perform an in-band failover network in ACI; we configure a failover EPG.

IPS Service Insertion

  • Cisco ACI supports inserting the Firepower IPS as a L4-7 service. It comes as part of the Firepower Threat Defense device package.
  • the IPS must be registered to the Firepower Management Center FMC
  • Cisco Firepower IPS intervenes before, during and after an attack to quarantaine the malicious workload, put it in a useg-EPG and log an entry into the FMC.
  • The IPS device / device cluster can be integrated into ACI with either of the following methods:
    • in a Service Graph in managed mode
    • in a Service Graph in unmanaged mode
    • manual mode
  • The IPS operates in either of the following modes
    • Layer 1
    • Layer 2
    • Layer 3
  • If we operate the IPS in Layer 1 mode, loop detection protocols (in ACI case: MCP, LLDP) must be disabled under the leaf interface policies.associated with the ports which are connected to the IPS.
  • The topology of the IPS within the ACI fabric can be:
    • one-arm with SNAT:
      • The IPS service device is connected to the fabric with only one leg
      • Te IPS service device holds the vIP of the server(s), i.e the external client (that wants to communicate with the server sitting behind the IPS) sends packets to the vIP, which resides on the IPS. The IPS does a SNAT on the source IP address of the packet, which hides the real IP address of the client from the server.
    • two-arm with PBR:
      • The IPS service device connects with two legs to the fabric.
      • The client communicates with the vIP on the IPS, thinking it is the server. Then the IPS forwards the packet without SNAT to the server. The server sends packets back to the client IP address, but the packets are redirected to the IPS.
      • This setting is required when the server has a need to “see” the real IP address of the client.

Layer 1 IPS requires its node legs to be connected to 2 Bridge Domains, each leg to a bridge domain, both bridge domains having the same VLAN encapsulation.

Copy Service Feature

We can benefit from the Copy Service when we integrate the Firepower IPS within ACI fabric. The Copy Service is different from SPAN in the following ways:

  • the traffic is copied, not duplicated.
  • there are no headers in the copied packets
  • The traffic to be copied is specified as part of a contract. So not all traffic is by default copied. Therefore, unless specified in the contract, the BUM traffic is for example not included.
  • Copy Cluster is the destination device that receives the copied traffic.
  • CoS and DSCP can not be copied

ADC (Load Balancer) Service Insertion

  • An ADC (Application Delivery Controller) device performs content load balancing among other functions.

f5 Concepts

  • f5 employs iWorkflow, which generates a dynamic f5 device package to be integrated with ACI.
  • f5 uses a smart templating technology called iApps
  • We must configure the application template with iApps, then choose a template from iWorkflow catalog. After that, the f5 device package can be instantiated and uploaded to APIC.
  • the popular f5 ADC is called BIG IP.

Citrix ADC (aka Netscaler)

  • Citrix leverages the concept of Playbooks. A Playbook is a configuration template that we set up to suit a specific application.
  • Citrix NMAS or MAS: Network Management and Analysis System.

Click here to read the rest of my Cisco ACI study notes.

Categories: Cisco ACI

Keyboard Banger

Keyboard Banger is a network engineer from Africa. He has been working in network support and administration since 2008. He started writing study notes about certification exams and technology topics a couple of years ago. When he's not writing articles, he can be found wandering on technical forums.


Leave a Reply

Your email address will not be published. Required fields are marked *