This skillet will automatically configure panorama and plugin for a state-of-the-art integration into an ACI Single Pod environment with PBR for traffic redirection as a “one click ready” POC. That skillet will also configure your cluster of VM-Series in A/P in the Pod, managed by panorama to be ready to receive traffic from that fabric through the PBR interface.
This skillet is designed to be used by SEs and Partners.
Authoring Group: Private Cloud CE
Documentation: Readme file on github repository does explain things
Github Location: https://github.com/ceskillets/DCV-skillet-ACI-SinglePod.git
Github Branches: master
PAN-OS Supported: 8.1.X and higher releases with NSX plugin version 2.0.X
Cloud Provider(s) Supported: VMWARE ESXi
Type of Skillet: Multiple XML files to configure panorama and an A/P VM cluster entirely
Purpose: Config ready for POCs
Automated configuration of a cluster of A/P VM-Series managed by Panorama
Single Pod PBR insertion
Panorama 8.1.X and 2 VM-Series 8.1.X connected to Panorama but not attached to any template nor device group yet.
Each of your VM-Series must have a minimum of 3 vNics for that setup and vNic must be defined as describe below:
- eth0 (vNic1) connected to the management network
- eth1 (vNic2) connected to a dedicated port group of your DVS and it will be used for HA2
- eth2 (vNic3) connected to a dedicated port group of your DVS and it will be used for HA3
- eth3 (vNic4) connected to a dedicated port group of your DVS and it will be used for PBR connection to the fabric
A PBR policy MUST be configured in parallel in the Fabric for your pod with filters on a Service Graph and that Service Graph must be applied to a contract to start redirecting some traffic to our VM-Series located on each Pods.
You must have a Multi Pods (2 pods) with "Enable Pod Aware redirection" option checked and a functional IP SLA option (icmp) for the heath check in your L4-L7 Policy-Based Redirect configuration for the setup to work as expected
create a Template Stack and a Template dedicated for each of your 2 VM-Series all Network and Device policies configured with webpage variables.
create a Device Group dedicated for that specific cluster of VM-Series configured for a Multi Pods PBR insertion.
move and attach your 2 VM-Series to these respective Template Stack and Device Group and trigger a commit to have a fully functional setup.
configure ACI plugin to connect into APIC controller in order to collect metadata to be able to create DAGs in your firewall policy.