Traditionally, when you insert services into a network, you must perform a highly manual and complicated VLAN (Layer 2) or virtual routing and forwarding (VRF) instance (Layer 3) stitching between network elements and service appliances. This traditional model requires days or weeks to deploy new services for an application. The services are less flexible, operating errors are more likely, and troubleshooting is more difficult. When an application is retired, removing a service device configuration, such as firewall rules, is difficult. Scale out/scale down of services that is based on the load is also not feasible.

Although VLAN and virtual routing and forwarding (VRF) stitching is supported by traditional service insertion models, the Application Policy Infrastructure Controller (APIC) can automate service insertion while acting as a central point of policy control. The APIC policies manage both the network fabric and services appliances. The APIC can configure the network automatically so that traffic flows through the services. The APIC can also automatically configure the service according to the application's requirements, which allows organizations to automate service insertion and eliminate the challenge of managing the complex techniques of traditional service insertion.

You must perform the following tasks to deploy Layer 4 to Layer 7 services using the APIC:

1. Import the device package

   Only the provider administrator can import the device package.

2. Configure a tenant

3. Register the device and the logical interfaces

   This task also registers concrete devices and concrete interfaces, and configures concrete device parameters.

4. Configure device (logical device) parameters
5. Configure a Layer 3 network
6. Configure a bridge domain
7. Configure an application profile

8. Configure a physical domain or a VMM domain

   For a VMM domain:

   1. Configure VMM domain credentials
   2. Configure a vCenter/vShield controller profile
9. Configure a VLAN pool
   1. Configure an encapsulation block range
10. Configure a contract
11. Configure a management endpoint group (EPG)
12. Configure a service graph template
13. Select the default service graph template parameters from an application profile
14. Configure the service graph template parameters, if needed
15. Attach the service graph template to a contract
16. Configure additional configuration parameters

Note	Virtualized appliances can be deployed with VLANs as the transport between VMware ESX servers and leaf nodes, and can be deployed only with VMware ESX as the hypervisor.

Using the GUI, you can configure the Layer 4 to layer 7 services for the Application Policy Infrastructure Controller (APIC).

See Using the GUI for the procedures for configuring the services and service graph templates.

The Cisco Application Centric Infrastructure (ACI) allows you to define a sequence of meta-devices, such a firewall of a certain type followed by a load balancer of a certain make and version. This is called an service graph template, also known as a abstract graph. When a service graph template is referenced by a contract, the service graph template is instantiated by mapping it to concrete devices, such as the firewall and load balancers that are present in the fabric. The mapping happens with the concept of a "context". The "device context" is the mapping configuration that allows the ACI to identify which firewalls and which load balancers can be mapped to the service graph template. Another key concept is the "logical device", which represents the cluster of concrete devices. The rendering of the service graph template is based on identifying the suitable logical devices that can be inserted in the path that is defined by a contract.

The ACI treats services as an integral part of an application. Any services that are required are treated as a service graph that is instantiated on the ACI fabric from the Cisco Application Policy Infrastructure Controller (APIC). Users define the service for the application, while service graph templates identify the set of network or service functions that are needed by the application. Once the graph is configured in the APIC, the APIC automatically configures the services according to the service function requirements that are specified in the service graph template. The APIC also automatically configures the network according to the needs of the service function that is specified in the service graph template, which does not require any change in the service device.