BRKACI-2504 Cisco Security on ACI, MicroSegmentation, ASA, FirePower. Brenden Buresh DC Technical Solutions Architect
|
|
- Brendan Fitzgerald
- 6 years ago
- Views:
Transcription
1
2 BRKACI-2504 Cisco Security on ACI, MicroSegmentation, ASA, FirePower Brenden Buresh DC Technical Solutions Architect
3 Agenda Introduction Data Center Security ACI Fundamental Building Blocks ACI Tenant Whitelist Security ACI Fabric Infrastructure Security ACI Fabric Micro-Segmentation Extending ACI Security Outside DC Conclusion ACI=Advanced Security
4 Introduction: Data Center Security
5 Security Threats are Trending Higher Cisco Annual Security Report 2016
6 Organizational Security Confidence Slipping Cisco Annual Security Report 2016
7 What is the Problem Facing IT Organizations? Complexity of Traditional Infrastructure Network Complexity Dictates App Deployment/Operation Rigid Logical-Physical Tightly Coupled 1 Intentional Change Yields Many Unintended Changes Org Silos Language Translation Fragile Don t Touch It! Code Upgrades, Config Changes, New Devices Stifles Innovation Insecure Box by Box Configuration Error Prone Compliance Challenges
8 Why Policy Has Become Table Stakes? Policy Driven Infrastructure Delivers Network Simplification via Policy Automation POLICY UCS Service Profile Application Network Profile Compute L4-7 Services Storage Management Security Profile Network Orchestration Security Operational Simplicity Application Centricity Security and Compliance Multi-Vendor Innovation
9 Policy: Links Application Language to Infrastructure Application Language Application tier policy and dependencies Security requirements Service level agreement Application performance Compliance Geo dependencies Common Policy App Network USC Service Profile Policy-Driven Profile Decouple Application and Infrastructure policy from Infrastructure Underlying infrastructure Network Language Compute/Storage Language Security Language 9
10 ACI Fundamental Building Blocks
11 Application Centric Infrastructure Automating IT by Making Applications the Focal Point Agile, Open and Secure Business Requirements Applications Policy Integrated Physical and Virtual POLICY POLICY L4-7 SERVICES COMPUTE SECURITY STORAGE
12 ACI Solution: Agile, Open, and Secure Agile App Requirements Drive Network Deployment/Operation Open Secure Policy Automation Visibility Scale and Performance Open API s Partner Ecosystem Multi-Tenant Security Compliance Speed through Automation Physical and Virtual Endpoints with Consistent Policy Application Health Monitoring H/W Based VXLAN Gateway Open APIs, Open Source and Open Standards Customer Choice And Interoperability Drives Innovation Whitelist Approach Multitenant Aware Simplified Compliance 14
13 Building Blocks (Pillars) of ACI Rapid Application Deployment via Open Networks with Scale, Security, Full Visibility Application Centric Infrastructure Industry Leading Technology Partnerships ACI Fabric/Nexus 9000 Application Centric Policy Open Ecosystem
14 Cisco ACI Fabric Nexus 9500 Modular Switches Nexus 9300 Fixed Switches Innovations in Hardware and System Design Performance Port Density Power Efficiency Programmability Price Innovations in Cisco NX-OS Software Improved Application Performance Integrated Overlay Capabilities Programmability and Automation 16
15 ACI Policy Driven Network Application Network Profiles SYSTEM CONFIGURES HARDWARE AUTOMATICALLY POLICIES USED TO CREATE A POLICY DRIVEN NETWORK END POINT GROUPS, CONTRACTS, AND SERVICE GRAPHS TO CREATE ANPS SYSTEM CONFIGURES HARDWARE AUTOMATICALLY Application SME Network SME Security Policy Network Policy Bare-Metal Policy Virtualization Policy Application Profiles Security SME Leaf Node Name VLAN, IP Pools Switch Profiles Interface Policies Attachable Access Entity Profile Bridge Domains EPGs Layer 4-7 Service Graphs End Point Groups, Provider Contract to App, Firewalls, End Point Groups, Consumer and Provider End Point Groups, Consumer WEB EPG APP EPG Load Balancers, IPS, IDS Contracts, Firewalls, Load Balancers Database EPG Contracts, Firewalls
16 ACI A Policy Based IP Network Proxy (Directory) Services IP Network & Integrated VXLAN APIC - Policy Controller & Distributed Management Information Tree (DMIT) VTEP VTEP VXLAN IP Payload VTEP Physical and Virtual VTEP s (Policy & Forwarding Edge Nodes) VTEP AVS VTEP AVS VTEP WAN/DCI Services Physical and Virtual Endpoints (Servers) & VMM (Hypervisor vswitch) Physical and Virtual L4-7 Service Nodes
17 ACI is a Robust Network Fabric Provides a New Communication Abstraction Model Single Point of Orchestration Different administrative groups use same interface, high level of object sharing Application Policy Infrastructure Controller (APIC) Policy Contract Users Files All TCP/UDP: Accept, Redirect UDP/ : Prioritize All Other: Drop Create Contracts Between Endpoint Groups Port-level rules: drop, prioritize, push to service chain; reusable templates ACI Fabric Enforce Ingress Fabric Rules Hardware rules on each port, security in depth, embedded QoS Single Pass Services Define Endpoint Groups Security administrator defines generic templates in APIC, availed to contract creation Service Graph Files Users Any endpoints anywhere within the fabric, virtual or physical
18 Application Centric Infrastructure Fabric Flat Hardware Accelerated Network ACI Fabric Full abstraction, de-coupled from VLANs and Dynamic Routing, low latency, built-in QoS Flexible Insertion Fabric Port Services Every device is one hop away, microsecond latency, no power or port availability constraints, ease of scaling Hardware filtering and bridging; default gateway; seamless service insertion, service farm aggregation Unified Management and Visibility ACI Controller manages all participating devices, change control and audit capabilities Files Users Logical Endpoint Groups by Role Heterogeneous clients, servers, external clouds; fabric controls communication
19 ACI Policy Instantiation Logical Network Provisioning of Stateless Hardware F/W ADC WEB ADC APP DB ACI Policy APIC ACI Fabric Integrated GBP VXLAN Overlay Application Policy Infrastructure Controller
20 Application Policy Infrastructure Controller Centralized Automation and Fabric Management Unified point of Data Center network automation and management: Data Model based declarative provisioning Application, Topology Monitoring, & Troubleshooting 3 rd party Integration (L4-L7 Services, Storage, Compute, WAN, ) Image Management (Spine / Leaf) Fabric Inventory Centralized Access to all Fabric information - GUI, CLI and RESTful API s Extensible to compute and storage management Layer 4..7 Open RESTful API Policy-Based Provisioning System Management APIC Storage Management Storage SME Orchestration Management Server SME Network SME Security SME App. SME OS SME
21 Application Centric Infrastructure Vision Open Ecosystem, Open API s Automation Hypervisor Management Enterprise Monitoring Systems Management Orchestration Frameworks Application Network Profile APIC Centralized Policy Management Open APIs, Open Source, Open Standards Fabric Physical Networking Hypervisors and Virtual Networking Compute L4 L7 Services Storage
22 Cisco ACI Built on Open Architectures OPEN SOURCE OPEN STANDARDS DevOps VXLAN NSH OpFlex OPEN INTERFACES OPEN ECOSYSTEM RESTful APIs (XML) UCS Security ACI Inter cloud IoT 24
23 ACI Tenant Whitelist Security
24 ACI Goal: Common Policy and Operations Framework Cloud Cloud Admin Application Admin Web Tier External Zone App Tier APPLICATION DB Tier Security Admin DMZ Trusted Zone SECURITY DB Tier Network Admin 26
25 ACI Goal: Common Policy and Operations Framework Cloud Cloud Admin Application Admin APPLICATION External Zone Security Admin DMZ Trusted Zone SECURITY DB Tier Network Admin COMMON POOL OF RESOURCES 27
26 ACI Policy Model Brings Concept of End-Point Group EPGs are a grouping of end-points representing application or application components independent of other network constructs. HTTPS Service EPG - Web HTTPS Service POLICY MODEL HTTPS Service HTTP Service HTTP Service HTTPS Service HTTP Service HTTP Service 28
27 End-Points and EPG membership Server Virtual Machines & Containers Storage Device connected to network directly or indirectly Has address (identity), location, attributes (version, patch level) Can be physical or virtual or container Examples: End Point Group (EPG) membership defined by: Ingress physical port (leaf or FEX) Ingress logical port (VM port group) VLAN ID VXLAN (VNID) IP address (so far only applicable to external/border leaf connectivity) IP Prefix/Subnet (so far only applicable to external/border leaf connectivity) NVGRE (VSID) (future) VM-based attributes (future) Layer 4 ports (future) Client
28 EPGs, Subnets, and Policy EPGs separate the addressing of an application from it s mapping and policy enforcement on the network. EPG WEB-1 EPG WEB-2 Policy/Security enforcement occurs at the EPG level HTTPS Service HTTPS Service HTTPS Service HTTPS Service x HTTP Service HTTP Service HTTP Service HTTP Service x 30
29 ACI Enables Segmentation Based on Business Needs New PRODUCTION POD DMZ DEV VLAN 1 VXLAN 2 WEB WEB TEST APP SHARED SERVICES PROD VLAN 3 DB WEB OVS/OpFlex VM Basic DC Network Segmentation Segment by Application Lifecycle Network centric Segmentation Per Application-tier / Service Level Micro-Segmentation Intra-EPG Container Security Micro-Segmentation Level of Segmentation/Isolation/Visibility
30 ACI and Today s 3-Tier applications Web App Network Profile The Application App DB Outside Client(s) QoS QoS QoS P Service P P Filter Filter P = Defined Policy Could be many VMs or containers Mostly physical resources Could be mix of physical/virtual machines/containers
31 Application Network Profiles (ANP) Application Network profiles are a group of EPGs and the policies that define the communication between them. Application Network Profile EPG - WEB EPG - APP EPG - DB POLICY MODEL = Inbound/Outbound Policies Inbound/Outbound Policies 33
32 Applying Policy between EPGs: ACI Contracts Contracts define the way in which EPGs interact Unidirectional Communication EPG B Contract 02 EPG C Contract 01 Bidirectional Communication EPG A The policy model allows for both unidirectional and bidirectional policies. Ex: ACI Logical Model applied to the 3-Tier App ANP 34
33 Building ACI Contracts Filter TCP Port 80 Action Permit Label Web Access Subject Filter Action Label Subjects are a combination of A filter, an action and a label Contracts define communication between source and destination EPGs Contract 1 Subject 1 Subject 2 Subject 3 Contracts are groups of subjects which define communication between EPGs
34 Policy Options: Actions Permit Redirect Deny Log There are six policy options supported: Permit the traffic Block the traffic Redirect the traffic Log the traffic Copy the traffic Mark the traffic (DSCP/CoS) Copy Packe t Mark Packet DSCP Policy encompasses traffic handling, quality of service, security monitoring and logging 36
35 Application Network Profiles (ANP) & ACI: How it Works? F/W ADC WEB ADC APP DB SLA QoS CONNECTIVIT Y POLICY Security SECURITY POLICIES Load Balancing QOS APPLICATION L4..7 SERVICES STORAGE AND COMPUTE APP PROFILE HYPERVISOR HYPERVISOR HYPERVISOR 37
36 Example of an Application Mapped to ACI
37 ACI Embedded Tools Endpoint Tracker Application that reads all of the Endpoints from APIC Registers for Endpoint add/delete Punch clock for Endpoints Who (MAC, IP ) What (Tenant, App, EPG) Where (Interface) When (Timestamps) Web1 App1 DB1 Determine what was on network at any time Web2 App2 DB2 SQL or GUI frontend SQL Web3 App3 DB3
38 ACI Embedded Tools Diagrams A whiteboard diagram of an applications deployed security policy
39 Automating Infrastructure Dynamic Endpoint Attachment ACI Policy Allow HR-EPG Inbound to HR-Web EPG ASA and F5 Object-Group: Keep policies up to date without manual configuration Web servers immediately available when added to DNS ACI Fabric Automatically update ASA and F5 with new endpoints connecting to network for HR- EPG. Remove endpoints when they disconnect from network.
40 Dynamic Update to EPG Object-Group object-group network $EPG$_podA-myapps-app network-object host network-object host : APIC create object-group for the EPG. 3: APIC add new endpoints to object-group ( , ) APIC dynamically detect new endpoint, ASA subscribes to attach/detach event, and ASA automatically adds to object-group access-list access-list-inbound extended permit tcp any object-group $EPG$_podA-myapps-app eq www 1: Enable Attachment Notification on function connector internal. New New web Consumer app Provider ACE Object-group
41 ACI Fabric Infrastructure Security
42 APIC Communicating to the Network Infrastructure VRF Switch nodes will have: 1. Inband access to Infra & Mgmt VRF 2. Mgmt Port (OOB) 3. Console port APIC APIC APIC OOB Management Network APIC will have: 1. 2 attached to fabric for data 2. 2 for mgmt (OOB) 3. 1 console ethernet port (can be only used for direct laptop hookup) 4. CIMC/IPMI ports Inband Management VRF Infra VRF Used for inband APIC to switch node communication, non routable outside the fabric currently (Multi-Fabric, Remote Leaf will both allow extension of the Infra VRF - Future) Inband Management Network tenant VRF created for inband access to switch nodes OOB Management Network APIC and switch node dedicated mgmt ports
43 APIC First Time Setup APIC one time setup is via UCS console access Cluster configuration Fabric Name Number of controllers [1..9] Controller ID [1..9] TEP Address pool [ /16] Infra VLAN ID [4093] Out-of-band management configuration Management IP address [ /254] Default gateway [ ] Admin user configuration Enable strong passwords (Y/N) Password APIC After first time setup, APIC UI is accessible via URL
44 APIC Fabric Login Screen
45 APIC & ACI System Security Two modes of access to the REST interface Web-Token X.509 based certs SSL Same SSL Certificate presented by all APICs to External HTTPS connections APIC X.509 REST requests are signed with the user private key RSA keys of 1024, 1536 or 2048 bits Two Factor Authentication SSL Cisco Signed Certificates (shipped with switch and APIC)
46 Chain of Trust for ACI Nodes (APIC to Switch) 1. Establish SSL connection and exchange public key certificates 2. For additional security, shared secret or device serial number can be optionally exchanged (Post FCS) 3. After successful validation, connection is ready 4. Messages are authenticated with HMAC digest SSL APIC
47 Chain of Trust for ACI Nodes (APIC) Secure Container Based for BASH (ishell) No root access for customers (TAC only) APIC APIC ISO is encrypted and keys are stored on APIC TPM RPM s are not visible Secure Trusted Executable Secure Mode Installer SSL
48 Chain of Trust for ACI Nodes (Switches) Chain of Trust for images on Switch Nodes Anti Counterfeit Technology-2 Hardware Security Module (ACT2 HSM) Validates the FPGA software, ROMMON software, switch preboot image and the switch full image Switch Image Signed Hash FIPS compliant build system This standard requires software to be digitally signed and be verified for authenticity and integrity prior to load and execution. Cisco maintains the Abraxas build system which keeps private keys secure and provides signing services via ssh/https APIs Generate Hash (SHA512) Create Signature (RSA-2048 bit) Using Insieme RSA 2048 Private Key
49 Fabric Initialization & Maintenance Topology Discovery via LLDP using ACI specific TLV s (ACI OUI) Loopback and VTEP IP Addresses allocated from Infra VRF via DHCP from APIC APIC APIC Cluster APIC APIC ACI Fabric supports discovery, boot, inventory and systems maintenance processes via the APIC Fabric Discovery and Addressing Image Management Topology validation through wiring diagram and systems checks
50 Fabric Initialization & Maintenance 3 6 Fabric will self assemble starting from multiple APIC sources Spine switch discovers attached Leaf via LLDP, requests TEP address and boot file via DHCP 5 2 Leaf switch discovers attached APIC via LLDP, requests TEP address and boot file via DHCP Fabric can be discovered and initialized from multiple sources concurrently 7 APIC Cluster APIC APIC APIC APIC Cluster will form when members discovery each other via Appliance Vector (AV) 1 APIC bootstrap configuration 1) APIC Cluster Configuration 2) Fabric Name 3) TEP Address space (Infra-VRF) 4) 4 All nodes in the same APIC cluster should contain same bootstrap information if they are intended to form a cluster
51 Fabric Initialization & Maintenance Node Identity Policy Assigns ID/Name to switches based on serial number Controls which switches can join the fabric Allows zero touch provisioning of switches POST: <fabricnodeidentpol> <fabricnodeidentp serial= TNAX234ZA" name="leaf1" nodeid= 101"/> <fabricnodeidentp serial= JNAX234ZZ" name="leaf2" nodeid= 102"/> <fabricnodeidentp serial= KLAX234ZZ name="spine1" nodeid= 103"/> </fabricnodeidentpol>
52 APIC Image Management Covers multiple items like: Compatibility Catalog Checks at upgrade / downgrade events such as configuration Switch image management Leaf and Spine switches APIC image management Policy controller cluster Image repository on APIC Admin Firmware Fabric Node Firmware
53 Fabric Initialization & Maintenance All-Spines All-Leafs All-APICs APIC Cluster APIC APIC APIC ACI Fabric leverages the same Global Catalogue methodology as UCS, the supported HW/SW matrix, image versioning, APIC and switch node image management controlled via APIC policies Policies control which images should be on which groupings of devices, when the images should be upgraded/downgraded Also control the upgrade process, automatic, manual step by step,
54 ACI Fabric Micro- Segmentation Security
55 Spectrum of Micro-Segmentation Segmentation Micro-Segmentation Per EPG Per vnic
56 ACI Security Automated Security with Built-In Multi-Tenancy Distributed Stateless Firewall ACI Services Graph Line Rate Security Enforcement Open: Integrate Any Security Device Embedded Security White-list Firewall Policy Model Authenticated Northbound API (X.509) Encrypted Management Plane (TLS 1.2) Micro-Segmentation VMware AVS, VDS*, Microsoft Hyper- V, and Bare-metal workloads Intra End Point Group Isolation Attribute Based Isolation and Quarantine * Note: Available: 1H CY 2016 Security Automation Dynamic Service Insertion and Chaining Security Policy Follows Workloads Centralized Security Provisioning and Visibility
57 Cisco ACI Delivers Micro-Segmentation Flexible, Granular, Consistent EPG Based Attributes Based Intra-EPG Based PROD POD DMZ VLAN 1 VXLAN 2 Quarantine Compromised Workloads Isolate Workloads within Application Tier SHARED SERVICES VLAN 3 Basic DC Segmentation DEV Network-Centric Segmentation WEB Isolate Intra-EPG Isolation Application Tier Policy Group TEST APP FW FW All Workloads Can Communicate PROD Application Lifecycle Segmentation DB Service Level Segmentation IP OS Linux ACI Benefits Name Video Application Tier Policy Group VMware VDS Microsoft Hyper-V KVM* Cisco AVS *Future Policy Driven Micro-Segmentation for Any Workload Physical
58 Cisco ACI Security Options Policy Driven Micro-Segmentation and Intra-EPG Isolation Quarantine Infected VMs With Guest OS = Linux Quarantine VM Intra-EPG Isolation + Micro-Segmentation FW PROD POD DMZ VLAN 1 VXLAN 2 DB EPG SHARED SERVICES Basic DC Segmentation DEV VLAN 3 Network-Centric Segmentation WEB IP = x FW OS = Linux FW Name = Video-* Micro-Segmentation Intra-EPG Isolation Web EPG Intra-EPG Isolation DB EPG TEST APP Attributes Based Micro-Segments (DVS, AVS, Hyper-V Switch, KVM*) Intra-EPG Isolation Local switching Local switching PROD Application Lifecycle Segmentation DB Service Level Segmentation Virtual Switch Hypervisor Web EPG DB EPG Flexible Segmentation * Note - Futures Hypervisor Agnostic Micro-segmentation For Any Virtual Workload Intra-EPG Isolation + Micro-segmentation For Any Workload (Physical, Virtual)
59 Intra-EPG Isolation 1.2.2x/11.2.2x release added Intra-EPG Isolation Support: 1.VMware DVS (ie. AVS not required) 2.Bare Metal When Intra-EPG Isolation is enabled ALL endpoints in EPG are isolated (All Intra-EPG Isolation endpoints must be in the same EPG) Can isolate Physical and Virtual endpoints in same EPG Partial Intra-EPG isolation of endpoints is not supported
60 Micro-Segmentation Micro-Segmentation = Attributes based EPG + contract (optional) Attributes = VM attributes or Networking attributes such as IP, MAC 2 main use-cases: 1. Quarantine (ie. no EPG contract), 2. Micro-Segments (with contract policy) 1.2.1x/11.2.1x release Adds Micro-Segmentation for: Microsoft Hyper-V 1.2.2x/11.2.2x release Adds Micro-Segmentation for see table below: VMware DVS * (ie. AVS not required) * Note: L4 State and Connection Inspection requires ASA Micro-Segmentation VMWare + AVS Microsoft Hyper-V Multi-Hypervisor VMWare DVS Intra-EPG Isolation Intra-EPG Isolation + Micro-Segmentation ACI Release 1.1.1x/11.1.1x 1.2.1x/11.2.1x 1.2.1x/11.2.1x 1.2.2x/11.2.2x 1.2.2x/11.2.2x 1.2.2x/11.2.2x
61 Intra-EPG DVS Micro-Segmentation ASA-5500-X Joint Solution Proposal NW Only Stitching ASA 5500-X w/ FP Service 1. Intra-EPG Micro-Segmentation DVS: VM isolation with PVLAN gets traffic to Leaf Switch ACI Leaf: MAC/IP-EPG to re-classify traffic, Service Node NW Stitching 2. Stateful Firewall with ASA 5500-X Stateful Inspection & ASA Security Features FirePOWER Services 50k-1M IPS sessions
62 ACI Security Certifications Complete Target Complete Jan 16 Target Complete Jan/Feb 16 Complete Dec 15 Planning
63 Landscape of ACI Security Partners Orchestration PaaS Automation Security & Governance Analytics Enterprise Monitoring Operations Security Cloud Orchestration and Management Big Data & Analytics Northbound Partners Southbound Partners Open Infra. ADC L4-L7 Services Security Security & Services Fabric Attached Devices
64 EPG (End Point) Classification Server Virtual Machines & Containers Storage Client Endpoint == Workload unit connected to network directly or indirectly An endpoint has address (identity), location, attributes (version, patch level) Can be physical or virtual or container End Point Group (EPG) membership defined by: Ingress physical port (Leaf or FEX) Ingress logical port (VM port group) VLAN ID (EPG1, vlan 10 Permit port dest = 80 => epg2, vlan 20) VXLAN (VNID) IP Prefix/Subnet (so far only applicable to external/border leaf connectivity) VM-based attributes release IP address and subnet 1.2.1x/11.2.1x release (/32, /n) MAC address - Radar
65 IP Based EPGs Support for IP Based EPG on PhysDom, L2Out, and L3Out 1.2.1x/11.2.1x release: supports IP-EPG classification: Physical Leaf only Physical Domain (ie. no VMM domain) IP-EPG are very flexible and granular, can be defined for any IPv4 host (/32) or prefix (/n mask) IP-EPG derivation is based on longest-prefix match in HW Each IP-EPG gets its own class-id which is used as source-group or destination-group when a security policy (contract) is applied Only Inter-EPG policy contracts supported Note: L3 BD only, L2 BD cannot do IP-Learning IP-EPG will require E version of 93xx (Donner-C HW) L3Out == EPG_DNS L2Out = LXC_Web = LXC_App = LXC_App = EPG_Filer_ = EPG_Filer_ = EPG_Filer_3
66 IP Based EPG: Use Case 1 Shared Storage for Each Customer Different security policy is needed for logical storages which use same VLAN and same MAC, but different IP. VLAN 10 Storage ESXi ESXi ESXi ESXi Storage for customer A Storage for customer B Servers for Customer A Servers for Customer B
67 IP Based EPG: Use Case 2 Docker Containers Different security policy is needed for containers which use same VLAN, but different IP. VLAN = LXC_Web = LXC_App = LXC_App2
68 Microsoft Hyper-V Attribute Based EPG and Micro-Segmentation Feature Description This feature allows granular EPG derivation based on various VM attributes such as VM Name, Guest OS, MAC, IP etc. Prior to 1.2.1x/11.2.1x release, this feature is available for virtual endpoints attached with Cisco AVS Distributed Virtual Switch (B-release). It s not available with VMware DVS In 1.2.1x/11.2.1x release, we add this feature for ACI + SCVMM integration also. Note: This doesn t provide an Intra EPG security policy Use-case Isolate Malicious VM Create Security across Zones Benefits Without changing the port-group association of servers, extra security and segmentation can be provided
69 Microsoft Hyper-V: Use Case 1 Isolate a Malicious VM Problem: Vulnerability is detected in a particular type of operating system (e.g. Windows). Network security administrator would like to isolate all Windows VM. Solution: Define Security EPG with criterion as Operating System = Windows. No contracts are provided or consumed by this EPG. It will stop all inter-epg communication for the matching VMs. No VM attach/detach or placement of VM to a different port-group is needed. Web Web01 Linux Web02 Linux Web03 Win Web03 Win App App01 Linux App02 Linux App03 Win X Win EPG Criterion Attribute (OS = Windows) DB DB01 Linux DB02 Linux DB03 Win
70 Microsoft Hyper-V: Use Case 2 Security Across Zones Problem: VMs belonging to different departments (e.g. HR, Sales) or different roles (Production, Test) are placed in the port-group. But isolation across departments are required. (e.g. HR-Web-VM should not be able to talk to Sales-Web-VM) Solution: Define EPGs, which match if the VM Name contains a matching string (e.g. HR, Sales etc). Each Attribute based EPG can have their own security policies. Web App Web01 HR- Web01 Sales- Web01 App01 App02 App03 HR-Web X Criterion Attribute (VM name contains HR) Sales-Web Criterion DB DB01 DB02 DB03 Attribute (VM name contains Sales)
71 Create useg EPG
72 L4-L7 Service Automation Support for all Devices Any Device and Cluster Manager Support L4-7 Service Automation L4-7 Services ACI Services Graph Available Now Futures L4- L7 Device Package No Device Package Service Cluster Manager Full L4-L7 Centralized Service Automation (With Device Package) Large Ecosystem and Investment Protection Centralized Network Automation (With NO Device Package) New support for L4-L7 Cluster Managers
73 Network Only Stitching Mode Insert Node between consumer EPG and provider EPG Managed mode and un-managed mode can be combined into a single service graph Insert Node between consumer EPG and provider EPG. Managed mode and un-managed mode can be combined into a single service graph.
74 2.1.1x/12.1.1x: PBR Support for Service Graph Routed Mode with Policy Based Routing Policy Redirect for EPG A to EPG C External FW Internal EPG C EPG A Direct Forwarding for EPG A to EPG B Single VRF EPG B
75 Cisco ACI + OpFlex Security OpenStack APIC ML2 Driver OpenStack Controller APIC ML2 Driver OpFlex Agent Offers: Security policy enforcement in OVS using IP- Tables by OpenStack (outside of APIC) L2/L3 forwarding in fabric Floating IP / NAT support Available 1.2.1x/11.2.1x Security Group Enforcement in OVS using IP-Tables APIC GUI integration / VMM Domain for OpenStack Statistics Service redirection Hypervisor V(X)LAN Open vswitch OpFlex Agent Project 1 Project 2 Project 3 OpFlex Proxy Neutron Object Project Network Subnet Security Group + Rule APIC Object (ML2 Driver Mapping) Tenant EPG + BD Subnet IP Tables (outside of APIC by OpenStack) vm1 vm2 vm3 vm4 vm5 Router Network:external Contract L3Out / Outside EPG
76 APIC GBP Driver Security Implementation OVS via OpFlex and ACI Fabric Group Based Policy OpenStack Controller GBP APIC Driver OpFlex Agent Offers: Available 1.2.1x/11.2.1x Fabric Traffic Security Enforcement using ACI Whitelist Policy Hypervisor V(X)LAN Open vswitch OpFlex Proxy OpFlex Agent Local traffic in Hypervisor: Security Group Enforcement in OVS using Open Flow gbp policy-classiifer-create gbp policy-rule-create blah --actions allow Security policy enforcement in OVS via OF action and ACI Fabric via whitelist policy simultaneously Floating IP / NAT support APIC GUI integration / VMM Domain for OpenStack Statistics Project 1 Project 2 Project 3 vm1 vm3 vm5 vm2 vm4 Service redirection
77 ASA Multiple-Context in Service Graphs - Shipping Leaf1 Leaf2 Register ASA1 Active Contexts with APIC via MGMT IPs vpc2 PO2 FO vpc3 PO2 ASA2 Standby Admin context registers to APIC, which applies HA config to allow a sync of full configuration, so it can take over MAC/IP on Active failure Define a Port-Channel as a single logical interface connecting to multiple Leafs APIC creates sub-interfaces based on dynamically allocated VLAN from a pool, and in the System context it assigns Port-channel sub-interfaces to appropriate user context, Contexts A, B, and C ASA1 Active Context Admin Context A Context B Context C ASA2 Standby MGMT IP0 pre-config MGMT IP1 pre-config MGMT IP2 pre-config MGMT IP3 pre-config IPs, Interface and ACLs names, can now overlap between contexts APIC programs interfaces for user Context via CLI: interface Port-channel2.500 VLAN 500 context A allocate-interface Port-channel2.500 change-to context A interface Port-channel2.500 nameif consumer_internala ip address security-level 100 System Context User Context
78 Device Manager Package Device Manager Package is used to configure the controller of the Service Device (eg, FireSIGHT) instead of configuring the Service Device 1.2.2x/11.2.2x release target for FirePOWER appliance FirePOWER Device Manager Package: FireSight Credentials Internal/External Interfaces Virtual Inline Pair (more parameters possible) Cisco APIC Policy Element Device Model E.g. FireSIGHT Cluster Service Instances Cisco APIC Script Interface Device-Specific Python Scripts Device Interface: REST/CLI Service automation requires a vendor device package. It is a zip file containing Device specification (XML file) Device scripts (Python) Script Engine APIC Node Device Manager Service Instances
79 Operational Model with Device Manager 2. Create Application Networking and assign NGFW Service E.g. FireSIGHT 1. Create Security Policy for Application Panorama Network Admin 4. Assign security policy to firewall Security Admin 3. Network Configuration Hostname IP Address VLAN Security Zone 5. Security Configuration Security Policies Profiles Address Objects Insert firewall services between two EPGs All firewall security features can be applied
80 Chassis Device Package Virtual Service Instances In order to manage virtual services running on a single device the device package framework has been extended to define a chassis (1.2.1x/11.2.1x release) A chassis defines the device that contains the virtual service instances Specific attributes are associated with the chassis (VLAN id s on ports) and others with the service instance Cisco APIC Policy Element Device Model Cisco APIC Script Interface Device-Specific Python Scripts Device Interface: REST/CLI Service automation requires a vendor device package. It is a zip file containing Device specification (XML file) Device scripts (Python) Script Engine Script Engine APIC Node Virtual Service Instances Cluster Service Instances Chassis
81 The Attack Continuum Consistent Protection for ANY Workload 24x7 Detect Deep Traffic inspection Visibility Centralized Policy Orchestration and Distributed Sensors Secure Multi-Tenancy with Whitelisting Per-Application Micro Segmentation Discover Enforce Harden Continuous Solution Block Defend Threat-Centric Protection Real-Time Threat Intelligence Threat Centric Scope Forensic Analysis Compliance Contain Dynamic Workload Quarantine Remediate Remediation and Return to Production 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
82 Firepower Services for ACI Intelligent Threat Defense Intelligent Remediation Contracts Service Graph Basic configuration and health FireSIGHT Management Center Alerts Network Visibility Policy Management Analytics Remediation Policy and events Application Policy Infrastructure Controller (APIC) ACI Fabric EPG Web NGIPS/NGFW Advanced Malware Protection EPG Internet
83 Security Feedback Loop ESXi FirePOWER Appliance SPAN Traffic N9K Leaf Switch UNT PUBLIC Attack FW FireSIGHT Management Center NGIPS Trusted No Graph Relaxed REST calls to APIC NB API CORP Move IP to Quarantine APIC QUA FW Strict REM ACI Fabric
84 Cisco Security in ACI Integration Models Netflow and Syslogs Firepower Services Embedded Module Visibility and Real-Time Alerts Threat Policy Configuration Access Policy Configuration Data Plane to ACI Fabric ASA Device Package ASA with Firepower Fully Managed ASA Device Service Graph Segmentation Data Plane to ACI Fabric Firepower Device Manager Package Firepower Partially Managed Firepower Device 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 89
85 ASA and Firepower Advantages for Cisco ACI Stateful Capacity Scaling Cisco ACI only performs stateless load-balancing; firewall cluster scales with state, HA, elasticity, and embedded threat protection Universal Attachment Policy Contract Consistency Across Platforms and Protocols Maintain similar high performance for all clients, applications, and protocols; ease of future expansion Link aggregation with LACP; VLAN insertion into Cisco ACI; full interoperability with fabric leaf nodes Portable Architecture Same feature set in both physical and virtual form factors; consistent performance across platforms Cisco ACI Fabric Balance Security and Performance Identify and block malicious traffic; Remediate infected EPs; Allow monitor-only and reduced inline inspection where most applications are known, to optimize on use of resources while provide necessary visibility 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 90
86 Cisco ACI and Cisco Advanced Security Better Together Protection Across the Entire Continuum Cisco Advanced Security ASA / FirePOWER / AMP APIC Full APIC integration Highest Rated NGIPS* Highest Rated Breach Detection** Native ACI Security World s Most Deployed NGFW Real-time Threat Intelligence vm vm phy Centralized Policy Automation Secure Multi- Tenancy with Whitelisting Context-aware Segmentation NGIPS/NGFW Virtual and Physical Advanced Malware Protection Group Policy Industry Compliance Standards (PCI) Addresses Data Center Challenges: Threat-centric, Visibility, Compliance
87 ACI Provides Secure Path to Authenticate Endpoints Based EPG Pre-Authenticated Endpoints IP-EPG Authenticated Endpoints 3 1. REST API call to APIC 2. Provide endpoint IP attribute for JPMC IP-EPG membership 1 1. ACI isolates all endpoints in Base EPG 2. Fabric implements whitelist policy 3. Base EPG only provides uni-directional access to JPMC Authentication Server ESXi Bank-x IP-EPG Hyper-V Base EPG Bank Authentication Server Bare- Metal Servers 4 1. ACI moves authenticated endpoints out of Base EPG 2. Installs endpoints into JPMC IP-EPG ACI Fabric 1. If endpoint authentication fails, it remains in base=epg 2. If endpoint authentication passes, JPMC server makes REST API call to APIC 3. Provides attributes of the endpoint APIC and Target EPG membership 2
88 Dot1x Endpoint Authentication Solution Just added to Roadmap Dot1x Authentication Fails Dot1x Authentication Pass ESXi ESXi Hyper-V ACI Leaf Bank EPG Hyper-V ACI Leaf Bank EPG Bare- Metal Servers Bare- Metal Servers
89 Extending ACI Fabric Outside DC
90 1.2.1x/11.2.1x ASA Device Package Enhancement ACI and TrustSec Leveraging ASA +SXP APIC Policy Contract Corp DB : Allow, Redirect to ASA All Other : Drop ACI Fabric 3. Coarse filtering: ACI Policy Contract allows all traffic from corporate network to database, redirects to ASA Marketing Engineering SXP DB EPG Corp EPG 1. Corporate users on traditional Nexus 7000 in Corp EPG get assigned SGT values by ISE ISE 2. ASA learns SGT mappings OOB through SXP Source Destination Action Engineering [SGT 333] Any Allow Any Any Deny 4. Fine filtering: ASA permits only Engineering to access database from corporate based on SGT
91 Network Layer Controller Layer ACI + TrustSec Policy Plane Integration ISE Policy Domain ISE 1. Exchange SG/EPG Names 2. Exchange IP->SG/EPG Bindings APIC Policy Domain User IP->SGT Bindings Server IP-> EPG bindings SXP S User classification CMD/SGT SXPv4 Propagation Campus Enforcement Enterprise Core SGT not propagated in data plane ACI Border Leaf ivxlan ivxlan Propagation DC Enforcement Server classification
92 Add a New Host IP/SGT in ISE New IP Address BYOD SGT Assigned (Could also be learned over SXP)
93 BYOD EPG Now Contains Our New Host Available for Use in ACI Policies
94 ACI + TrustSec Phase 2 (release 2.1.1x/12.1.1x) Dataplane Integration with Trustsec Switch/Router (eg. ASR1k) ASR implements ACI and Trustsec Policy and Data Plane Integration 1. ASR maps SGT to EPG 2. ASR instantiates an EPG and adds IVXLAN dataplane 3. Sends packet to ACI fabric for contract enforcement
95 Conclusion: ACI= Advanced Security
96 ACI Addresses the Security Challenge in the DC Strategic Security Imperatives Addressed by ACI Security Expressed in Application Constructs & Language Simplified Policy Based Multi- Tenancy & Micro- Segmentation Network Services Automation, Open Eco- System Visibility, Analytics, Forensics, Threat Mitigation Automate Compliance, Centralized Auditing & Logging Centralized Security Across Physical and Virtual Endpoint Network Virtual Cloud
97 Cisco ACI Takeaways Cisco Application Centric Infrastructure Physical & Virtual Fixed Workloads Variable Workloads SPEED SECURITY TELEMETRY POLICY NETWORK and SERVICES Delivered in minutes INHERENT Security and INTEGRATION Rich TELEMETRY & Application HEALTH SCORE Policy-based deployment/governance Physical & virtual OPEN and AGNOSTIC 102
98 Cisco Data Center Security Network Analytics: Multi-Tier Sensor Data Gathering (hardware and software) Embedded L4 Security Embedded Sensors Next Gen Stateful L4-7 Visibility and Control Identity and Policy Federation Firewall at Each Leaf switch Servers (Physical, Virtual, Containers, Micro Services) L4-7 Security Services (physical or virtual, location independent) Branch QoS Filter Web1 QoS Servi ce App1 QoS Filter DB Policy Driven Security Architecture 103
99 Differentiation for Nexus/ACI Solutions - Contiv WEB </code> APP DB ACI: Automated Networking, Policies, Prioritization, network uniformity for various workloads App1 App2 Native Apps: Better Visibility, Diagnostics, Analytics, Interoperable Standards Based App1 App2 Network SLAs for Applications: App to App with physical infrastructure integration 104
100 Contiv Provides Policy-Rich Container Networking Integrates with Cisco Nexus and ACI Application Composition + Policy Intent Contiv Master Contiv.io is an open-source project that creates a policy framework in different domains of containers Network Policies: Policies for Application Security, Prioritization, and Network Resource Allocation Docker Kubernetes Mesos Plugin Agents Network Services for Apps (Virtual or Physical Service appliances) Analytics/Diagnostics Node 1 Node2 Node-n Integrates with Cisco ACI, Nexus, and UCS Solutions Status: Beta
101 Hypervisors, Isolation, Segmentation - Unikernels Unikernels, also know as virtual library operating system Microsoft Drawbridge architecture (Image Credit: Microsoft Research) 106
102 Why ACI is Best for Micro-Segmentation Micro Segmentation works for all workloads (bare metal, virtual, containers, management, backup ) Same policy-model for vsphere, Hyper-V, OpenStack, Containers and Bare Metal. With ACI 1.2 support for up to 10 vcenter (supports 5.1, 5.5 and 6.0) and up to 10,000 servers. Works with standard virtual switch offerings, including VMware VDS, OVS, MSFT vswitch (AVS is optional for vsphere) Stateful firewall when using Cisco AVS on vsphere at no extra cost with better performance at the VMware environment 107
103 Complete Your Online Session Evaluation Give us your feedback and receive a Cisco 2016 T-Shirt by completing the Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site Visit any Cisco Live Internet Station located throughout the venue T-Shirts can be collected Friday 11 March at Registration Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations.
104 Thank you
105
Integration of Hypervisors and L4-7 Services into an ACI Fabric. Azeem Suleman, Principal Engineer, Insieme Business Unit
Integration of Hypervisors and L4-7 Services into an ACI Fabric Azeem Suleman, Principal Engineer, Insieme Business Unit Agenda Introduction to ACI Review of ACI Policy Model Hypervisor Integration Layer
More informationSegmentation. Threat Defense. Visibility
Segmentation Threat Defense Visibility Establish boundaries: network, compute, virtual Enforce policy by functions, devices, organizations, compliance Control and prevent unauthorized access to networks,
More informationCisco Application Centric Infrastructure and Microsoft SCVMM and Azure Pack
White Paper Cisco Application Centric Infrastructure and Microsoft SCVMM and Azure Pack Introduction Cisco Application Centric Infrastructure (ACI) is a next-generation data center fabric infrastructure
More informationHybrid Cloud Solutions
Hybrid Cloud Solutions with Cisco and Microsoft Innovation Rob Tappenden, Technical Solution Architect rtappend@cisco.com March 2016 Today s industry and business challenges Industry Evolution & Data Centres
More informationCisco Application Centric Infrastructure
Data Sheet Cisco Application Centric Infrastructure What s Inside At a glance: Cisco ACI solution Main benefits Cisco ACI building blocks Main features Fabric Management and Automation Network Security
More informationApplication Centric Infrastructure
Application Centric Infrastructure Design pro řešení na zelené louce i do stávajícího DC DCA4 Miroslav Brzek, Systems Engineer Agenda Modern DC infrastructure Customer requirements What s Application Centric
More informationCisco HyperFlex Systems
White Paper Cisco HyperFlex Systems Install and Manage Cisco HyperFlex Systems in a Cisco ACI Environment Original Update: January 2017 Updated: March 2018 Note: This document contains material and data
More informationEvolution of Data Center Security Automated Security for Today s Dynamic Data Centers
Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers Speaker: Mun Hossain Director of Product Management - Security Business Group Cisco Twitter: @CiscoDCSecurity 2 Any
More informationSDN Security BRKSEC Alok Mittal Security Business Group, Cisco
SDN Security Alok Mittal Security Business Group, Cisco Security at the Speed of the Network Automating and Accelerating Security Through SDN Countering threats is complex and difficult. Software Defined
More informationCisco SDN 解决方案 ACI 的基本概念
Cisco SDN 解决方案 ACI 的基本概念 Presented by: Shangxin Du(@shdu)-Solution Support Engineer, Cisco TAC Aug 26 th, 2015 2013 Cisco and/or its affiliates. All rights reserved. 1 Type Consumption Delivery Big data,
More informationCisco ACI Virtual Machine Networking
This chapter contains the following sections: Cisco ACI VM Networking Supports Multiple Vendors' Virtual Machine Managers, page 1 Virtual Machine Manager Domain Main Components, page 2 Virtual Machine
More informationCisco ACI Virtual Machine Networking
This chapter contains the following sections: Cisco ACI VM Networking Supports Multiple Vendors' Virtual Machine Managers, page 1 Virtual Machine Manager Domain Main Components, page 2 Virtual Machine
More informationService Graph Design with Cisco Application Centric Infrastructure
White Paper Service Graph Design with Cisco Application Centric Infrastructure 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 101 Contents Introduction...
More informationBuilding NFV Solutions with OpenStack and Cisco ACI
Building NFV Solutions with OpenStack and Cisco ACI Domenico Dastoli @domdastoli INSBU Technical Marketing Engineer Iftikhar Rathore - INSBU Technical Marketing Engineer Agenda Brief Introduction to Cisco
More informationIntegration of Hypervisors and L4-7 Services into an ACI Fabric
Integration of Hypervisors and L4-7 Services into an ACI Fabric Bradley Wong Principal Engineer, INSBU Technical Marketing #clmel This session provides a technical introduction to how the ACI fabric handles
More informationData Center and Cloud Automation
Data Center and Cloud Automation Tanja Hess Systems Engineer September, 2014 AGENDA Challenges and Opportunities Manual vs. Automated IT Operations What problem are we trying to solve and how do we solve
More informationVirtual Machine Manager Domains
This chapter contains the following sections: Cisco ACI VM Networking Support for Virtual Machine Managers, page 1 VMM Domain Policy Model, page 3 Virtual Machine Manager Domain Main Components, page 3,
More informationIntegrating Cisco UCS with Cisco ACI
Integrating Cisco UCS with Cisco ACI Marian Klas, mklas@cisco.com Systems Engineer Data Center February 2015 Agenda: Connecting workloads to ACI Bare Metal Hypervisors UCS & APIC Integration and Orchestration
More informationCisco ACI Virtual Machine Networking
This chapter contains the following sections: Cisco ACI VM Networking Supports Multiple Vendors' Virtual Machine Managers, page 1 Virtual Machine Manager Domain Main Components, page 2 Virtual Machine
More informationCisco Cloud Architecture with Microsoft Cloud Platform Peter Lackey Technical Solutions Architect PSOSPG-1002
Cisco Cloud Architecture with Microsoft Cloud Platform Peter Lackey Technical Solutions Architect PSOSPG-1002 Agenda Joint Cisco and Microsoft Integration Efforts Introduction to CCA-MCP What is a Pattern?
More informationLayer 4 to Layer 7 Design
Service Graphs and Layer 4 to Layer 7 Services Integration, page 1 Firewall Service Graphs, page 5 Service Node Failover, page 10 Service Graphs with Multiple Consumers and Providers, page 12 Reusing a
More informationPolicy Driven Data Centre with ACI
Policy Driven Data Centre with ACI Chris Gascoigne Technical Solutions Architect #clmel Agenda Introduction What is policy Network policy Application policy Conclusion Introduction Traditional Data Centre
More information2018 Cisco and/or its affiliates. All rights reserved.
Beyond Data Center A Journey to self-driving Data Center with Analytics, Intelligent and Assurance Mohamad Imaduddin Systems Engineer Cisco Oct 2018 App is the new Business Developer is the new Customer
More informationCisco ACI vcenter Plugin
This chapter contains the following sections: About Cisco ACI with VMware vsphere Web Client, page 1 Getting Started with, page 2 Features and Limitations, page 7 GUI, page 12 Performing ACI Object Configurations,
More information2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
2018 Cisco and/or its affiliates. All rights reserved. Cisco Public PSODCN-1030 Intent Based Systems Deliver Automation Dave Malik Cisco Fellow and Chief Architect Advanced Services @dmalik2 2018 Cisco
More informationACI Multi-Site Architecture and Deployment. Max Ardica Principal Engineer - INSBU
ACI Multi-Site Architecture and Deployment Max Ardica Principal Engineer - INSBU Agenda ACI Network and Policy Domain Evolution ACI Multi-Site Deep Dive Overview and Use Cases Introducing ACI Multi-Site
More informationF5 Demystifying Network Service Orchestration and Insertion in Application Centric and Programmable Network Architectures
F5 Demystifying Network Service Orchestration and Insertion in Application Centric and Programmable Network Architectures Jeffrey Wong - Solution Architect F5 Networks February, 2015 Agenda F5 Synthesis
More informationPSOACI Tetration Overview. Mike Herbert
Tetration Overview Mike Herbert Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion
More information5 days lecture course and hands-on lab $3,295 USD 33 Digital Version
Course: Duration: Fees: Cisco Learning Credits: Kit: DCAC9K v1.1 Cisco Data Center Application Centric Infrastructure 5 days lecture course and hands-on lab $3,295 USD 33 Digital Version Course Details
More informationIntegration of Multi-Hypervisors with Application Centric Infrastructure
Integration of Multi-Hypervisors with Application Centric Infrastructure BRKAPP-9005 Bradley Wong Principal Engineer The Application Centric Infrastructure (ACI) is adopting an innovative approach to addressing
More informationCisco ACI with Cisco AVS
This chapter includes the following sections: Cisco AVS Overview, page 1 Cisco AVS Installation, page 6 Key Post-Installation Configuration Tasks for the Cisco AVS, page 43 Distributed Firewall, page 62
More informationCisco Application Centric Infrastructure (ACI) Simulator
Data Sheet Cisco Application Centric Infrastructure (ACI) Simulator Cisco Application Centric Infrastructure Overview Cisco Application Centric Infrastructure (ACI) is an innovative architecture that radically
More informationThe Next Opportunity in the Data Centre
The Next Opportunity in the Data Centre Application Centric Infrastructure Soni Jiandani Senior Vice President, Cisco THE NETWORK IS THE INFORMATION BROKER FOR ALL APPLICATIONS Applications Are Changing
More informationIntuit Application Centric ACI Deployment Case Study
Intuit Application Centric ACI Deployment Case Study Joon Cho, Principal Network Engineer, Intuit Lawrence Zhu, Solutions Architect, Cisco Agenda Introduction Architecture / Principle Design Rollout Key
More informationF5 BIG-IP Local Traffic Manager Service Insertion with Cisco Application Centric Infrastructure
F5 BIG-IP Local Traffic Manager Service Insertion with Cisco Application Centric Infrastructure Deployment Guide December 2015 2015 Cisco F5. All rights reserved. Page 1 Contents Introduction... 4 Preface...
More informationCisco Virtual Networking Solution Nexus 1000v and Virtual Services. Abhishek Mande Engineer
Cisco Virtual Networking Solution Nexus 1000v and Virtual Services Abhishek Mande Engineer mailme@cisco.com Agenda Application requirements in virtualized DC The Anatomy of Nexus 1000V Virtual Services
More informationVirtualization Design
VMM Integration with UCS-B, on page 1 VMM Integration with AVS or VDS, on page 3 VMM Domain Resolution Immediacy, on page 6 OpenStack and Cisco ACI, on page 8 VMM Integration with UCS-B About VMM Integration
More informationMicrosegmentation with Cisco ACI
This chapter contains the following sections:, page 1 Microsegmentation with the Cisco Application Centric Infrastructure (ACI) provides the ability to automatically assign endpoints to logical security
More informationService Insertion with ACI using F5 iworkflow
Service Insertion with ACI using F5 iworkflow Gert Wolfis F5 EMEA Cloud SE October 2016 Agenda F5 and Cisco ACI Joint Solution Cisco ACI L4 L7 Service Insertion Overview F5 and Cisco ACI Integration Models
More informationCisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003
Cisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003 Agenda ACI Introduction and Multi-Fabric Use Cases ACI Multi-Fabric Design Options ACI Stretched Fabric Overview
More informationData Center Security. Fuat KILIÇ Consulting Systems
Data Center Security Fuat KILIÇ Consulting Systems Engineer @Security Data Center Evolution WHERE ARE YOU NOW? WHERE DO YOU WANT TO BE? Traditional Data Center Virtualized Data Center (VDC) Virtualized
More informationCisco Application Policy Infrastructure Controller Data Center Policy Model
White Paper Cisco Application Policy Infrastructure Controller Data Center Policy Model This paper examines the Cisco Application Centric Infrastructure (ACI) approach to modeling business applications
More informationCisco CloudCenter Solution with Cisco ACI: Common Use Cases
Cisco CloudCenter Solution with Cisco ACI: Common Use Cases Cisco ACI increases network security, automates communication policies based on business-relevant application requirements, and decreases developer
More informationAutomate Application Deployment with F5 Local Traffic Manager and Cisco Application Centric Infrastructure
Automate Application Deployment with F5 Local Traffic Manager and Cisco Application Centric Infrastructure White Paper 2016 Cisco F5 Networks. All rights reserved. Page 1 Contents What You Will Learn...
More informationCisco ACI Simulator Release Notes, Release 1.1(1j)
Cisco ACI Simulator Release Notes, This document provides the compatibility information, usage guidelines, and the scale values that were validated in testing this Cisco ACI Simulator release. Use this
More informationLayer 4 to Layer 7 Service Insertion, page 1
This chapter contains the following sections:, page 1 Layer 4 to Layer 7 Policy Model, page 2 About Service Graphs, page 2 About Policy-Based Redirect, page 5 Automated Service Insertion, page 12 About
More informationCisco UCS Director and ACI Advanced Deployment Lab
Cisco UCS Director and ACI Advanced Deployment Lab Michael Zimmerman, TME Vishal Mehta, TME Agenda Introduction Cisco UCS Director ACI Integration and Key Concepts Cisco UCS Director Application Container
More informationDevNet Technical Breakout: Introduction to ACI Programming and APIs.
DevNet Technical Breakout: Introduction to ACI Programming and APIs. Michael Cohen Agenda Introduction to ACI ACI Policy ACI APIs REST API Python API L4-7 Scripting Opflex 3 Application Centric Infrastructure
More informationCisco ACI and Cisco AVS
This chapter includes the following sections: Cisco AVS Overview, page 1 Installing the Cisco AVS, page 5 Key Post-Installation Configuration Tasks for the Cisco AVS, page 14 Distributed Firewall, page
More informationACI Terminology. This chapter contains the following sections: ACI Terminology, on page 1. Cisco ACI Term. (Approximation)
This chapter contains the following sections:, on page 1 Alias API Inspector App Center Alias A changeable name for a given object. While the name of an object, once created, cannot be changed, the Alias
More informationDeploy Microsoft SQL Server 2014 on a Cisco Application Centric Infrastructure Policy Framework
White Paper Deploy Microsoft SQL Server 2014 on a Cisco Application Centric Infrastructure Policy Framework August 2015 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
More informationCisco ACI Virtual Machine Networking
This chapter contains the following sections: Cisco ACI VM Networking Supports Multiple Vendors' Virtual Machine Managers, page 1 Virtual Machine Manager Domain Main Components, page 2 Virtual Machine
More informationAutomation of Application Centric Infrastructure (ACI) with Cisco UCS Director
Automation of Application Centric Infrastructure (ACI) with Cisco UCS Director Raju Penmetsa @RajuPenmetsa1 Data Center Group Agenda IT Complexity Solution for ACI Automation Cisco UCS Director Application
More informationRunning RHV integrated with Cisco ACI. JuanLage Principal Engineer - Cisco May 2018
Running RHV integrated with Cisco ACI JuanLage Principal Engineer - Cisco May 2018 Agenda Why we need SDN on the Data Center What problem are we solving? Introduction to Cisco Application Centric Infrastructure
More informationMigration from Classic DC Network to Application Centric Infrastructure
Migration from Classic DC Network to Application Centric Infrastructure Kannan Ponnuswamy, Solution Architect, Cisco Advanced Services Acronyms IOS vpc VDC AAA VRF STP ISE FTP ToR UCS FEX OTV QoS BGP PIM
More informationCisco ACI Virtual Machine Networking
This chapter contains the following sections: Cisco ACI VM Networking Supports Multiple Vendors' Virtual Machine Managers, page 1 Virtual Machine Manager Domain Main Components, page 2 Virtual Machine
More informationMP-BGP VxLAN, ACI & Demo. Brian Kvisgaard System Engineer, CCIE SP #41039 November 2017
MP-BGP VxLAN, ACI & Demo Brian Kvisgaard System Engineer, CCIE SP #41039 November 2017 Datacenter solutions Programmable Fabric Classic Ethernet VxLAN-BGP EVPN standard-based Cisco DCNM Automation Modern
More informationDesign Guide for Cisco ACI with Avi Vantage
Page 1 of 23 Design Guide for Cisco ACI with Avi Vantage view online Overview Cisco ACI Cisco Application Centric Infrastructure (ACI) is a software defined networking solution offered by Cisco for data
More informationCisco Unified Data Center Strategy
Cisco Unified Data Center Strategy How can IT enable new business? Holger Müller Technical Solutions Architect, Cisco September 2014 My business is rapidly changing and I need the IT and new technologies
More informationDisclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme
SAI2803BU The Road to Micro- Segmentation with VMware NSX #VMworld #SAI2803BU Disclaimer This presentation may contain product features that are currently under development. This overview of new technology
More informationVXLAN Overview: Cisco Nexus 9000 Series Switches
White Paper VXLAN Overview: Cisco Nexus 9000 Series Switches What You Will Learn Traditional network segmentation has been provided by VLANs that are standardized under the IEEE 802.1Q group. VLANs provide
More informationCisco VTS. Enabling the Software Defined Data Center. Jim Triestman CSE Datacenter USSP Cisco Virtual Topology System
Cisco Virtual Topology System Cisco VTS Enabling the Software Defined Data Center Jim Triestman CSE Datacenter USSP jtriestm@cisco.com VXLAN Fabric: Choice of Automation and Programmability Application
More informationSecuring VMware NSX MAY 2014
Securing VMware NSX MAY 2014 Securing VMware NSX Table of Contents Executive Summary... 2 NSX Traffic [Control, Management, and Data]... 3 NSX Manager:... 5 NSX Controllers:... 8 NSX Edge Gateway:... 9
More informationVirtual Security Gateway Overview
This chapter contains the following sections: Information About the Cisco Virtual Security Gateway, page 1 Cisco Virtual Security Gateway Configuration for the Network, page 10 Feature History for Overview,
More informationSTRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview
STRATEGIC WHITE PAPER Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview Abstract Cloud architectures rely on Software-Defined Networking
More informationTitle DC Automation: It s a MARVEL!
Title DC Automation: It s a MARVEL! Name Nikos D. Anagnostatos Position Network Consultant, Network Solutions Division Classification ISO 27001: Public Data Center Evolution 2 Space Hellas - All Rights
More informationCisco ACI Multi-Site Fundamentals Guide
First Published: 2017-08-10 Last Modified: 2017-10-09 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
More informationCisco ACI Terminology ACI Terminology 2
inology ACI Terminology 2 Revised: May 24, 2018, ACI Terminology Cisco ACI Term Alias API Inspector App Center Application Policy Infrastructure Controller (APIC) Application Profile Atomic Counters Alias
More informationCisco ACI Virtualization Guide, Release 2.2(1)
First Published: 2017-01-18 Last Modified: 2017-07-14 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
More informationCisco Nexus 1000V Switch for Microsoft Hyper-V
Q&A Cisco Nexus 1000V Switch for Microsoft Hyper-V Overview Q. What are Cisco Nexus 1000V Switches? A. Cisco Nexus 1000V Switches provide a comprehensive and extensible architectural platform for virtual
More informationDisclaimer CONFIDENTIAL 2
Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware to deliver these features in any generally
More informationDeploying Cloud Network Services Prime Network Services Controller (formerly VNMC)
Deploying Cloud Network Services Prime Network Services Controller (formerly VNMC) Dedi Shindler - Sr. Manager Product Management Cloud System Management Technology Group Cisco Agenda Trends Influencing
More informationIntegration of Hypervisors & L4-7 Services with ACI
Integration of Hypervisors & L4-7 Services with ACI Bradley Wong Principal Engineer, INSBU @brawong Maurizio Portolani Distinguished TME, INSBU This session provides a technical introduction to how the
More informationDisclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme
NET1350BUR Deploying NSX on a Cisco Infrastructure Jacob Rapp jrapp@vmware.com Paul A. Mancuso pmancuso@vmware.com #VMworld #NET1350BUR Disclaimer This presentation may contain product features that are
More informationManage Hybrid Clouds with a Cisco CloudCenter, Cisco Application Centric Infrastructure, and Cisco UCS Director Solution
White Paper Manage Hybrid Clouds with a Cisco CloudCenter, Cisco Application Centric Infrastructure, and Cisco UCS Director Solution 2017 Cisco and/or its affiliates. All rights reserved. This document
More informationCisco Virtual Networking Solution for OpenStack
Data Sheet Cisco Virtual Networking Solution for OpenStack Product Overview Extend enterprise-class networking features to OpenStack cloud environments. A reliable virtual network infrastructure that provides
More informationCisco ACI Virtualization Guide, Release 2.2(2)
First Published: 2017-04-11 Last Modified: 2018-01-31 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
More informationPSOACI Why ACI: An overview and a customer (BBVA) perspective. Technology Officer DC EMEAR Cisco
PSOACI-4592 Why ACI: An overview and a customer (BBVA) perspective TJ Bijlsma César Martinez Joaquin Crespo Technology Officer DC EMEAR Cisco Lead Architect BBVA Lead Architect BBVA Cisco Spark How Questions?
More informationThe Virtualisation Security Journey: Beyond Endpoint Security with VMware and Symantec
The Virtualisation Security Journey: Beyond Endpoint Security with VMware and Symantec James Edwards Product Marketing Manager Dan Watson Senior Systems Engineer Disclaimer This session may contain product
More informationCisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer
Cisco Next Generation Firewall and IPS Dragan Novakovic Security Consulting Systems Engineer Cisco ASA with Firepower services Cisco TALOS - Collective Security Intelligence Enabled Clustering & High Availability
More informationCisco Application Centric Infrastructure (ACI) - Endpoint Groups (EPG) Usage and Design
White Paper Cisco Application Centric Infrastructure (ACI) - Endpoint Groups (EPG) Usage and Design Emerging IT technologies have brought about a shift from IT as a cost center to IT as a business driver.
More informationConfiguring Policy-Based Redirect
About Policy-Based Redirect, on page 1 About Multi-Node Policy-Based Redirect, on page 3 About Symmetric Policy-Based Redirect, on page 3 Policy Based Redirect and Hashing Algorithms, on page 4 Policy-Based
More informationDisclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme
NET1949BU Seamless Network Connectivity for Virtual and Bare-metal s with NSX Suresh Thiru Sridhar Subramanian VMworld 2017 Content: Not for publication VMworld 2017 - NET1949BU Disclaimer This presentation
More informationOrchestration: Accelerate Deployments and Reduce Operational Risk. Nathan Pearce, Product Development SA Programmability & Orchestration Team
Orchestration: Accelerate Deployments and Reduce Operational Risk Nathan Pearce, Product Development SA Programmability & Orchestration Team Agenda 1 2 3 Industry Trends Customer Journey Use Cases 2016
More informationCisco Tetration Analytics
Cisco Tetration Analytics Real-time application visibility and policy management using advanced analytics Yogesh Kaushik, Sr. Director Product Management PSOACI-2100 Agenda Market context Introduction:
More informationCisco Firepower NGFW. Anticipate, block, and respond to threats
Cisco Firepower NGFW Anticipate, block, and respond to threats You have a mandate to build and secure a network that supports ongoing innovation Mobile access Social collaboration Public / private hybrid
More informationReal World ACI Deployment and Migration
Real World ACI Deployment and Migration #clmel Kannan Ponnuswamy Solution Architect Cisco Advanced Services Icons and Terms APIC Application Policy Infrastructure Controller (APIC) Cisco Nexus 9500 Cisco
More informationInitial Setup. Cisco APIC Documentation Roadmap. This chapter contains the following sections:
This chapter contains the following sections: Cisco APIC Documentation Roadmap, page 1 Simplified Approach to Configuring in Cisco APIC, page 2 Changing the BIOS Default Password, page 2 About the APIC,
More informationCisco Tetration Analytics Demo. Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH
Cisco Tetration Analytics Demo Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH Agenda Introduction Theory Demonstration Innovation Through Engineering
More informationCisco ACI Virtualization Guide, Release 2.1(1)
First Published: 2016-10-02 Last Modified: 2017-05-09 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
More informationIntroducing VMware Validated Designs for Software-Defined Data Center
Introducing VMware Validated Designs for Software-Defined Data Center VMware Validated Design 4.0 VMware Validated Design for Software-Defined Data Center 4.0 You can find the most up-to-date technical
More informationVMWARE SOLUTIONS AND THE DATACENTER. Fredric Linder
VMWARE SOLUTIONS AND THE DATACENTER Fredric Linder MORE THAN VSPHERE vsphere vcenter Core vcenter Operations Suite vcenter Operations Management Vmware Cloud vcloud Director Chargeback VMware IT Business
More informationIntroducing VMware Validated Designs for Software-Defined Data Center
Introducing VMware Validated Designs for Software-Defined Data Center VMware Validated Design for Software-Defined Data Center 4.0 This document supports the version of each product listed and supports
More informationHuawei CloudFabric and VMware Collaboration Innovation Solution in Data Centers
Huawei CloudFabric and ware Collaboration Innovation Solution in Data Centers ware Data Center and Cloud Computing Solution Components Extend virtual computing to all applications Transform storage networks
More informationCisco Tetration Analytics
Cisco Tetration Analytics Enhanced security and operations with real time analytics John Joo Tetration Business Unit Cisco Systems Security Challenges in Modern Data Centers Securing applications has become
More informationPractical Applications of Cisco ACI Micro Segmentation
BRKACI-2301 Practical Applications of Cisco ACI Micro Segmentation @JuanLage, Principal Engineer INSBU Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find
More informationCisco ACI Simulator Release Notes, Release 2.2(3)
Cisco ACI Simulator Release Notes, Release 2.2(3) This document provides the compatibility information, usage guidelines, and the scale values that were validated in testing this Cisco ACI Simulator release.
More informationVerified Scalability Guide for Cisco APIC, Release 3.0(1k) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.0(1k)
Verified Scalability Guide for Cisco APIC, Release 3.0(1k) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.0(1k) Overview 2 General Scalability Limits 2 Fabric Topology, SPAN, Tenants, Contexts
More informationPasiruoškite ateičiai: modernus duomenų centras. Laurynas Dovydaitis Microsoft Azure MVP
Pasiruoškite ateičiai: modernus duomenų centras Laurynas Dovydaitis Microsoft Azure MVP 2016-05-17 Tension drives change The datacenter today Traditional datacenter Tight coupling between infrastructure
More informationReal World ACI Deployment and Migration Kannan Ponnuswamy, Solutions Architect BRKACI-2601
Real World ACI Deployment and Migration Kannan Ponnuswamy, Solutions Architect BRKACI-2601 Icons and Terms APIC Application Policy Infrastructure Controller (APIC) Cisco Nexus 9500 Cisco Nexus 9300 Nexus
More information