ACI ASA Migration Tool???

Matt Carey · ‎12-27-2015

I have recently been working on an ACI ASA integration. Though it was a challenge to just get basic IP connectivity to the ASA, the real challenge is the function profiles. Once the APIC is managing the ASA, you lose the ability to configure the ASA via CLI or ASDM. When you have an average ASA configuration with 100s of ACL/NAT/Objects, these tasks are difficult to manage via the APIC. Yeah I get that I could try and make a script for moving my CLI to json/xml with python, but it takes a lot of time. I feel that the only way to really slam dunk an ACI ASA integration would be to have a conversion tool and/or be allowed to make changes via CLI/ASDM. Does anyone know if there will be support for either of these options?

admin11111 · ‎01-14-2016

The solution for the ASA management issue is unmanaged mode. ASA unmanaged mode was introduced in the 1.2 release. With an unmanaged ASA in ACI you can still reference the ASA paths for service graphs, but also have maintain full CLI/ASDM management. Really the only difference to me between managed and unmanaged mode is the use of static vlans instead of dynamic. The main thing to watch out for is the order of operations. I would start with unmanaged mode, then set your encaps on your cluster interfaces, and finally deploy your service graphs. Make sure your physical domain vlan pool with your static vlans does not contain the same encaps as any of your route peering L3 outs. One more thing, you do not have to set encaps for any route peering service graphs. They will still inherit the L3 out encaps from the service graph.

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/L4-L7_Services_Deployment/guide/b_L4L7_Deploy_ver121x/b_L4L7_Deploy_ver121x_chapter_010000.html