Skip to content

p002 setup questionnaire

Jump to bottom
Roman Elokhin edited this page Nov 25, 2018 · 17 revisions

Let's refer to New Project Setup Prerequisites questionnaire and go through it.

0. Operations

We are going to implement PSEFABRIC to manage security rules only.

1. Describe the managed equipment types

  • pa_panorama - Palo Alto Panorama
  • apic_aci_dc1 - Cisco APIC
  • apic_aci_dc2 - Cisco APIC

We also have PA FWs and ACI leaf/spine switches but we are not going to manage them directly via PSEFABRIC. That is why we don't have them on this list.

2. PSEFABRIC objects mapping onto the network infrastructure

“-” means that we do not have a mapping of such a PSEFABRIC object on this device.

3. Network Logical Segmentation

4. Object parameters

Remember that for any PSEFABRIC object we can use up to 6 parameters. The first and the second ones are logical, while others are string type.

  • Addresses

    • addr_par_1 -> configure-addr
    • addr_par_3 -> pa-address-obj-name

  • Address-sets

    • addrset_par_1 -> configure-addrset
    • addrset_par_2 -> epg-addrset
    • addrset_par_3 -> pa-address-grp-name
    • addrset_par_4 -> aci-epg-name
    • addrset_par_5 -> path

  • Services

    • svc_par_1 -> configure-svc
    • svc_par_3 -> pa-service-name
    • svc_par_4 -> aci-filter-name

  • Service-sets

    • svcset_par_1 -> configure-svcset
    • svcset_par_3 -> pa-service-grp-name
    • svcset_par_4 -> aci-subject-name

  • Applications

    • app_par_1 -> configure-app
    • app_par_3 -> pa-application-name

  • Application-sets

    • appset_par_1 -> configure-appset
    • appset_par_3 -> pa-application-grp-name

  • Policies

    • plc_par_1 -> configure-plc
    • plc_par_2 -> epg-plc
    • plc_par_3 -> pa-policy-name
    • plc_par_4 -> aci-contract-name

Parameters description:

These parameters will be used to inform PSEFABRIC if we need to implement the configuration of the correspondent objects to real equipment or not:

  • configure-addr
  • configure-addrset
  • configure-svc
  • configure-svcset
  • configure-app
  • configure-appser

We want to use different names for PSEFABRIC objects for Palo Alto FWs and Cisco ACI. For this purpose the next object parameters are used:

  • For ACI objects:

    • aci-epg-name
    • aci-filter-name
    • aci-subject-name
    • aci-contract-name

  • For PA objects:

    • pa-address-obj-name
    • pa-address-grp-name
    • pa-service-name
    • pa-service-grp-name
    • pa-application-name
    • pa-application-grp-name
    • pa-policy-name

  • epg-addrset (address-set parameter)

    • 'true' means that this address-set object corresponds to some EPG
    • 'false' means that this PSEFABRIC address-set object is only related to address-group created on PA side and doesn't correspond to any EPG on the ACI side.

  • epg-plc (policy parameter)

    • 'true' means that only address-sets with epg-addrset == 'true' may participate in this policy
    • 'false' means that only address-sets with epg-addrset == 'false' may participate in this policy

  • path ( address-set parameter)

    • ACI path for EPG configuration (for attachment to contracts as consumer or provider)

5. Equipment parameter

  • Data-center 'dc1', area 'a1'
    • PA: Panorama device group 'dc1_a1'
    • ACI: tenant t1
  • Data-center 'dc1', area 'a2'
    • PA: Panorama device group 'dc1_a2'
    • ACI: tenant t2
  • Data-center 'dc2', area 'a1'
    • PA: Panorama device group 'dc2_a1'
    • ACI: tenant t1
  • Data-center 'dc2', area 'a2'
    • PA: Panorama device group 'dc2_a2'
    • ACI: tenant t2

6. Global Logic

Essential notes:

  • We don't create EP, EPG, and filters on ACI side. We believe that they are pre-configured
  • We don't create applications. We only use applications provided by PA
  • All PA objects except security rules (addresses, address-groups, services, service-groups, application-groups) must be created using 'shared' Panorama device-group
  • PA security rules should be created using device groups corresponding to the PA VSYS (see 'Equipment parameter' section above).
  • All ACI contracts must be created in the 'common' tenant

For each PSEFABRIC configuration creation/deleting/change action has to be described.

Change is considered as "delete/create new" (this does not mean that the final equipment configuration will actually delete the object, and then create a new one). Thus, we have to take into account creation and deleting only.

For security rules management:

  • Addresses creation/deleting
  device: Panorama, device-group 'shared'
    commands: pan_create_address/pan_delete_address
  device: ACI
    commands: n/a
  • Address-sets creation/deleting
  device: Panorama, device-group `'shared'`
    commands: `pan_create_address_set`/`pan_delete_address_set`
  device: ACI
    commands: n/a
  • Services creation/deleting
  device: Panorama, device-group `'shared'`
    commands: `pan_create_service`/`pan_delete_service`
  device: ACI
    commands: n/a
  • Service-sets creation/deleting creation/deleting
  device: Panorama, device-group `'shared'`
    commands: `pan_create_service_set`/`pan_delete_service_set`
  device: ACI
    commands: n/a
  • Application
  device: Panorama
    commands: n/a
  device: ACI
    commands: n/a
  • Application-sets
  device: Panorama, device-group `'shared'`
    commands: `pan_create_application_set`/`pan_delete_application_set`
  device: ACI
    commands: n/a
  • Policies
  if (source and destination data-centers are the same) and (source and destination areas are the same) and (source and destination zones are the same) and (source and destination subzones are different) then
    device: ACI APIC in the correspondent DC, tenant `'common'`
      commands: `aci_create_policy`/`aci_delete_policy`
    device: Panorama
      commands: n/a
  else if (source and destination data-centers are the same) and (source and destination areas are the same) and (source and destination data-centers subzones are different) then
    device: ACI APIC
      commands: n/a
    device: Panorama, device group correspondent to DC/area
      commands: `pan_create_policy`/``pan_delete_policy`
  else if (source and destination data-centers are the same) and (source and destination areas are different) then
    device: ACI APIC
      commands: n/a
    device: Panorama, device group correspondent to DC/source area 
      commands: `pan_create_policy_allapp_dst_transit`/`pan_delete_policy_allapp_dst_transit` 
    device: Panorama, device group correspondent to DC/destination area 
      commands: `pan_create_policy_src_transit`/`pan_delete_policy_src_transit`   
  else if (source and destination data-centers are different then
    Adevice: CI APIC
      commands: n/a
    device: Panorama, device group correspondent to source DC/source area
      commands: `pan_create_policy_allapp_dst_transit`/`pan_delete_policy_allapp_dst_transit` 
    device: Panorama, device group correspondent to destination DC/destination area 
      commands: `pan_create_policy_src_transit`/`pan_delete_policy_src_transit`

Command names used in psef_logic.py dictioanaes are arbitrary. Later they will be associated with templates that provide real configuration commands for the equipment.

7. Configuration data format

We will use cli for Palo Alto Panorama configuration and json for the Cisco ACI APIC.

8. Templates

We have the next list of commands now:

  • pan_create_address
  • pan_delete_address
  • pan_create_address_set
  • pan_delete_address_set
  • pan_create_service
  • pan_delete_service
  • pan_create_service_set
  • pan_delete_service_set
  • pan_create_application_set
  • pan_delete_application_set
  • aci_create_policy
  • aci_delete_policy
  • pan_create_policy
  • pan_delete_policy
  • pan_create_policy_allapp_dst_transit
  • pan_delete_policy_allapp_dst_transit
  • pan_create_policy_src_transit
  • pan_delete_policy_src_transit

We have to create a template for each command in this list.

See ptemplates.py and acitemplates.py

9. Uploading tools

We use copy & paste for Palo Alto Panorama configuration and Postman application for the REST requests to ACI.

Clone this wiki locally