Operational modes

There are two types of network service devices which Cisco APIC integrates with. These types of devices are defined by their operation mode. They are either Go Through or Go To. Normally a device has to be preconfigured as one of these types before its imported package is managed by the APIC.

Go Through Mode (Layer 2)

Devices in Go Through mode are considered layer 2 devices (from the OSI model) and are sometimes known as transparent. They are referred to as transparent because while the traffic goes through them and can be affected by them, they are not seen by the network and are not a destination in their own right for the traffic. They do not route traffic. These devices are not referred to by the packet’s destination MAC or IP address. In most cases, these devices will only have an address for the purposes of management.

Go To Mode (Layer 3)

Devices in Go To mode are considered Layer 3 (from the OSI model) devices. They can route traffic and they are referenced as the destination in a packet’s destination MAC address or destination IP address.

Multi-tenant multi-device support

Multi-tenant multi-device support

Multi-tenant Multi-device is typical in the use cases of this project. The support is worth more detailed description. When FortiGate device is added a tenant’s L4-L7 services, multi-context aware can be enabled. This indicates to the device package that the L4-L7 device is going to be a virtual device that shares resources with other tenants on the FortiGate. In FortiGate implementation, this virtual device is represented by a VDOM. Under each tenant, multiple such virtual devices can be configured.

• VDOM name is the device name. One VDOM per device. One or more devices per tenant.
• Each tenant sees all available interfaces and can share interfaces (ports) with other tenants, if it is multi-context aware. Limitation question: To be confirmed – For Physical Device under L3 Routed(GoTo) Mode, Tenant can share physical interface as vlan is used to isolate the physical interface. In VM Device, this is not true. You can only use dedicated VNIC. l Each FortiGate device supports only a pair of ports. Another pair requires another device added under the tenant.

When the L4-L7 service is deployed to the FortiGate device, the following logic is performed. For simplicity in the first release, the user may need to enable VDOM during FortiGate pre-configuration.