Practical Applications of Cisco ACI Micro Segmentation

Transcription

1

2 BRKACI-2301 Practical Applications of Cisco ACI Micro Principal Engineer INSBU

3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkaci Cisco and/or its affiliates. All rights reserved. Cisco Public

4 Session Objectives Explain the ACI features that enable Micro Segmentation Provide you ideas of how to use these features Show you these features working on simple yet practical examples BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 5

5 Agenda ACI Fundamentals Review Micro Segmentation Fundamentals ACI Group Based Policy Model Deep dive into Micro EPG options Demo #1 Applying IP-Based uepgs to segment BM and VM Demo #2 Using useg for Automated Application Deployment

6 Application Centric Infrastructure Single Point of Management with full FCAPS Network Virtualization Integrated Security Distributed L2/L3 across the fabric, across different sites Seamless networking for physical, storage, VMs and Containers Distributed Programmable Policy Micro Segmentation L4-7 Service Chaining Virtualization Support VMware vcenter Virtual Switch External L2/L3 Ecosystem Cisco ACI App Center Microsoft SCVMM +65 Ecosystem Partners Red Hat Virtualization Cloud Management Integration OpenStack Kubernetes BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 7

7 Cisco ACI: Industry Leader 4, % 65+ ACI Customers ACI Attach Rate Ecosystem Partners Ecosystem Partners BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 8

8 ACI Anywhere Any Workload, Any Location, Any Cloud ACI ANYWHERE Remote PoD Multi-Pod / Multi-Site Hybrid Cloud Extension IP WAN IP WAN Remote Location On Premise Public Cloud Security Everywhere Analytics Everywhere Policy Everywhere BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 9

9 Agenda ACI Fundamentals Review Micro Segmentation Fundamentals ACI Group Based Policy Model Deep dive into Micro EPG options Demo #1 Applying IP-Based uepgs to segment BM and VM Demo #2 Using useg for Automated Application Deployment

10 What do we mean by Micro Segmentation?

11 Segment 4 Segment 2 What is Micro Segmentation? Segmentation Segment 3 Segment 1 Segment = Broadcast domain / VLAN / Subnet BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 12

12 Segment 4 Segment 2 What is Micro Segmentation? Segmentation Micro Segmentation Micro Segment 2 Segment 3 Segment 1 Segment 1 Segment = Broadcast domain / VLAN / Subnet Micro Segment 1 Micro Segment 3 Micro Segment = Endpoint or Group of Endpoints BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 13

13 Segment 4 Segment 2 Segment 2 What is Micro Segmentation? Segmentation Micro Segmentation Segment 3 Segment 1 Micro Segment 4 Segment 1 Micro Segment 2 Segment = Broadcast domain / VLAN / Subnet Micro Segment 1 Micro Segment 3 Micro Segment = Endpoint or Group of Endpoints BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 14

14 Why Micro Segmentation? Perimeter security is not enough: once breached, lateral movement can allow attackers to compromise more assets Improve the security posture inside the Data Center Minimize segment size and provide smallest exposure to lateral movement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 15

15 Micro Segmenting in an heterogeneous Data Center Campus and Branch Users Many different types of workloads running in a Data Center BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 16

16 Micro Segmenting in an heterogeneous Data Center Campus and Branch Users BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 17

17 Micro Segmenting in an heterogeneous Data Center Campus and Branch Users Virtualized w/ VMware BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 18

18 Micro Segmenting in an heterogeneous Data Center Campus and Branch Users Virtualized w/ Microsoft Virtualized w/ VMware BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 19

19 Micro Segmenting in an heterogeneous Data Center Campus and Branch Users Virtualized w/ KVM Virtualized w/ Microsoft Virtualized w/ VMware BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 20

20 Micro Segmenting in an heterogeneous Data Center Campus and Branch Users Virtualized w/ KVM Virtualized w/ Microsoft Virtualized w/ VMware Bare Metal / Big Data BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 21

21 Micro Segmenting in an heterogeneous Data Center Campus and Branch Users Virtualized w/ KVM Virtualized w/ Microsoft Virtualized w/ VMware Bare Metal / Big Data Shared/Infra BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 22

22 Micro Segmenting requires granularly grouping endpoints, and defining and enforcing policy between them Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 23

23 Contractor Sales Micro Segmenting requires granularly grouping endpoints, and defining and enforcing policy between them Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 24

24 Contractor Sales Micro Segmenting requires granularly grouping endpoints, and defining and enforcing policy between them Look at SDA for this Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 25

25 Key Functions to Achieve Better Segmentation Endpoint Identity Policy Definition Verify, Refine How to classify endpoints into groups: - Network identity (IP/MAC/VLAN) - Meta-data: VM attributes, labels, tags, etc. - DNS - User Authentication (i.e. from ISE) Determine what policy to configure between and within groups: - Application Dependency Mapping - White-List vs. Black-List - Policy Simulation - Dynamic vs. pre-defined Verify policy enforcement, lifecycle management: - Policy visibility - Logging and log analysis - Alerts, remediation - Constant updates BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 26

26 Where should we enforce policy? Host-based Enforcement Centrally manage host-based firewalls. Pros: distributed network independent can use extremely granular policies process-level visibility and correlation Cons: guest-os dependent Network-based Enforcement Centrally manage rules at network edge (vswitch, pswitch or both) Pros: distributed guest OS independent best scale with group based policy network level visibility and correlation Cons: requires network resources (memory, TCAM, etc.) for policy BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 27

27 ACI implements distributed network policies Contracts allow definition of Layer2 to Layer4 security policies. Distributed security policies implemented at different enforcement points: Leaf: hardware based, no performance penalty. vswitch (i.e. OVS, AVE, FD.io/VPP) vswitch vswitch w/opflex External L2/L3 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 28

28 Operations Security Cisco Tetration provides best network analytics and hostbased distributed security Visibility and forensics Policy Application insight Policy simulation Neighborhood graphs Cisco Tetration Application segmentation Process inventory Compliance BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 29

29 It is possible to combine both host-based and network-based for tiered-security and operational reasons (SecOps vs. NetOps vs. DevOps). BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 30

30 APIC Enforces Policy across dissimilar data planes Focus of this session Check BRKACI-3456 Check BRKACI-2505 APP APP APP APP APP APP APP AVE APP APP APP APP APP OS OS OS OS OS OS OS OS OS OS OS OS APP APP APP APP N9K Leaf VDS Any vswitch KVM w/ OVS OS OS k8s w/ OVS OS OS N9K Leaf OpFlex VMware vcenter Microsoft SCVMM Application Traffic Northbound APIs APIC Policy and Visibility Point BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 31

31 Agenda ACI Fundamentals Review Micro Segmentation Fundamentals ACI Group Based Policy Model Deep dive into Micro EPG options Demo #1 Applying IP-Based uepgs to segment BM and VM Demo #2 Using useg for Automated Application Deployment

32 Identifying and Classifying endpoints into Groups in ACI

33 An Endpoint Group (EPG) is a set of devices that share the same policy requirements. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 34

34 Every EPG belongs to a VRF and an Application Profile. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 35

35 Application Profile A group of EPGs related to each other to represent an application Health scores, statistics, logs and audit data automatically correlated and rolled up at Application Profile level EPG, uepg, domain associations, contract relations and L4-7 Configuration BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 36

36 By default endpoints inside and EPG can communicate freely. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 37

37 By default endpoints in different EPGs cannot communicate at all. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 38

38 Defaults can be changed... BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 39

39 Policy Enforcement can be enabled or disabled at VRF level Policy Enforce: no communication without contracts Policy Unenforced: all communication allowed VRF MyVRF L3Out VRF MyVRF L3Out EPG-A EPG-B EPG-C External EPG-A EPG-B EPG-C External EPG EPG BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 40

40 Another option is to use Preferred Groups inside a VRF. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 41

41 Preferred Group Operating Principle Inside the Preferred Group there is unrestricted communication VRF MyVRF Preferred Group EPG-A EPG-B EPG-C EPG-D External L3Out EPG Excluded EPGs can NOT communicate without contracts EPG-1 Contract-1 EPG-3 EPG-2 Contract-2 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 42

42 Preferred Group Operating Principle VRF MyVRF Preferred Group EPG-A EPG-B EPG-C EPG-D External EPG L3Out EPG-1 Contract-1 Contract-3 Contracts are required to reach EPG inside the Preferred Group EPG-3 EPG-2 Contract-2 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 43

43 Preferred Group Configuration Enable at VRF, then select at EPG Level First, enable Preferred Group feature for the VRF at the vzany configuration Then configure for each EPG BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 44

44 Restrict all traffic inside a Group Intra EPG Isolation Intra EPG Isolation Intra-EPG Isolation blocks communication between all endpoints inside the group Supports mixing of Physical and Virtual endpoints in same EPG EPG Video-Server Intra-EPG Isolation Software Dependency: 1.3(1g) or higher Hardware Dependency: supported on all hardware models BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 45

45 Restrict all traffic inside a group: Intra EPG isolation Supported on PhysDoms, VMware VMM domain (AVS, AVE, DVS) (*) Since ACI 3.0 Microsoft VMM domain also supports intra EPG isolation. Can be configured on EPG and uepg (**) For uepgs it s supported with EX and FX leaf. We utilize PVLAN integration for VMware DVS and MSFT VMM Domains. We use Proxy-ARP required to reach other EPG in the same subnet (*) On AVS and AVE it requires VXLAN mode (**) IntraEPG Isolation not supported yet with uepg on AVS/AVE BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 46

46 EPGs can have relations with Contracts Contract Determine Communication using a White List model BM VM VM BM EPG BLUE EPG GREEN Bridge Domain /24 L2/L3 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 47

47 CONSUMES PROVIDES EPGs can have relations with Contracts Contract Determine Communication using a White List model BM EPG BLUE VM Contract: Blue-to-Green Scope: VRF Subject: AppTraffic Both Directions: True Reverse Port Filters: Yes permit tcp/80 permit tcp/443 VM BM EPG GREEN Bridge Domain /24 L2/L3 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 48

48 CONSUMES PROVIDES EPGs can have relations with Contracts Contract Determine Communication using a White List model BM EPG BLUE VM Contract: Blue-to-Green Scope: VRF Subject: AppTraffic Both Directions: True Reverse Port Filters: Yes permit tcp/80 permit tcp/443 VM BM EPG GREEN Bridge Domain /24 L2/L3 GREEN Provides the contract, so ports tcp/80 and tcp/443 are exposed. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 49

49 CONSUMES PROVIDES EPGs can have relations with Contracts Contract Determine Communication using a White List model BM EPG BLUE VM Contract: Blue-to-Green Scope: VRF Subject: AppTraffic Both Directions: True Reverse Port Filters: Yes permit tcp/80 permit tcp/443 VM BM EPG GREEN BLUE Consumes the contract, so ports tcp/80 and tcp/443 are NOT exposed. Bridge Domain /24 L2/L3 GREEN Provides the contract, so ports tcp/80 and tcp/443 are exposed. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 50

50 CONSUMES PROVIDES EPGs can have relations with Contracts Contract Determine Communication using a White List model any, tcp/80 BM EPG BLUE VM Contract: Blue-to-Green Scope: VRF Subject: AppTraffic Both Directions: True Reverse Port Filters: Yes permit tcp/80 permit tcp/443 VM BM EPG GREEN BLUE Consumes the contract, so ports tcp/80 and tcp/443 are NOT exposed. Bridge Domain /24 L2/L3 GREEN Provides the contract, so ports tcp/80 and tcp/443 are exposed. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 51

51 CONSUMES PROVIDES EPGs can have relations with Contracts Contract Determine Communication using a White List model any,tcp/8080 any, tcp/80 BM EPG BLUE VM Contract: Blue-to-Green Scope: VRF Subject: AppTraffic Both Directions: True Reverse Port Filters: Yes permit tcp/80 permit tcp/443 VM BM EPG GREEN BLUE Consumes the contract, so ports tcp/80 and tcp/443 are NOT exposed. Bridge Domain /24 L2/L3 GREEN Provides the contract, so ports tcp/80 and tcp/443 are exposed. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 52

52 CONSUMES PROVIDES Contracts also allow inserting L4-7 services, like Next Generation Firewalls, ADC, IPS/IDS, etc. Contract: Blue-to-Green Scope: VRF Subject: AppTraffic Both Directions: True Reverse Port Filters: Yes permit tcp/80 permit tcp/443 You can insert an NGFW, or a LB by attaching a Service Graph to the contract subject BM VM VM BM EPG BLUE EPG GREEN Bridge Domain /24 L2/L3 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 53

53 Restricting traffic inside a group with Intra EPG Contracts Contract: ansible Subject: Allow-ssh TCP/22 ICMP EPG AppNetwork EPG AppNetwork BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 54

54 Restricting traffic inside a group with Intra EPG Contracts New contract relationship type to specify IntraEPG <fvrsintraepg tnvzbrcpname= allow-icmp /> Contract: ansible Subject: Allow-ssh TCP/22 ICMP Contract: allow-icmp Subject: ICMP-traffic ICMP, log EPG AppNetwork EPG AppNetwork BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 55

55 Restricting traffic inside a group with Intra EPG Contracts New contract relationship type to specify IntraEPG <fvrsintraepg tnvzbrcpname= allow-icmp /> Contract: ansible Subject: Allow-ssh TCP/22 ICMP Contract: allow-icmp Subject: ICMP-traffic ICMP, log EPG AppNetwork EPG AppNetwork BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 56

56 Restricting traffic inside a group with Intra EPG Contracts New contract relationship type to specify IntraEPG <fvrsintraepg tnvzbrcpname= allow-icmp /> Contract: ansible Subject: Allow-ssh TCP/22 ICMP Contract: allow-icmp Subject: ICMP-traffic ICMP, log EPG AppNetwork EPG AppNetwork BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 57

57 Restricting communication between endpoints inside a Group with IntraEPG Contracts Since ACI 3.0 it is possible to assign contracts to restrict traffic between endpoints of the same EPG It can be enabled on both EPG and uepg As of 3.1, it is supported for PhysDoms and VMware VDS VMM Domains IntraEPG contracts require using proxy-arp. It is only supported with EX/FX switches or newer. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 58

58 IntraEPG Contract Use Case service vnic used for mgmt in a clustered App Example: a clustered web application. The jump host must be able to access all endpoints and you cannot use IntraEPG Isolation because the required protocols must be allowed between the VM inside the dvportgroup. Contract: Zookeeper Subject: Allow Zookeeper TCP/2181 TCP/2888 TCP/3888 Web-Tier PorGroup (BaseEPG) (PVLAN 2300/2301) EPG JumpHost intraepg Web VM web-prod-aci-01 Web VM web-prod-aci-02 Contract: any-ip Subject: Allow-any-ip Any IP Only Zookeeper ports allowed between VMs app1-web (uepg) BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 59

59 Taboo Contract Taboo contracts are specific to one EPG They deny a set of ports on the EPG when taboo contract is applied For instance you can say EPG-A do not allow any port 80 traffic Taboo filters will override regular contract filters BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 60

60 vzany Allows to configure contracts for all EPG in a VRF Tenant VRF1 vzany Details vzany represents the collection of EPGs that belong to the same VRF, including L3 external. BD1 EPG1 Instead of associating contracts to each individual EPG you can configure a contract to the vzany BD2 EPG2 EPG3 vzany With cross-vrf contracts, vzany can be a consumer, not provider EPG4 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 61

61 Simplifying Contract Configurations: - EPG Contract Inheritance Simplify policy configuration of EPG contract relations - EPG(s) can refer to Master EPG(s) to inherit contract relationship from - 1 level and 1 direction of contract inheritance (ie. Master EPG -> Child EPG) - Child EPG can inherit from multiple Parent EPGs - When new contract relations are added to the higher EPG, those with inheritance relation will automatically get those same contract associations Caveats: - EPGs must be under same Tenant - Contract Inheritance does NOT reduce number of contracts or TCAM entries - Inheritance does NOT apply to VzAny BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 62

62 Example: EPG_A has three contract relations EPG_A Consumes Provides Contract_DNS Contract_Internet Contract_SSL BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 63

63 EPG_B is configured to inherit from EPG_A EPG_A Consumes Provides Contract_DNS Contract_Internet Contract_SSL EPG_B Consumes Provides (Master: EPG_A) Contract_DNS Contract_Internet Contract_SSL Use the same contracts as EPG_A BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 64

64 EPG_B is configured to inherit from EPG_A - can now add specific contracts to child EPG_A Consumes Provides Contract_DNS Contract_Internet Contract_SSL EPG_B (Master: EPG_A) Consumes Contract_DNS Contract_Internet Provides Contract_SSL Contract_TomCat EPG_B also provides another contract BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 65

65 EPG_C is configured to inherit from EPG_A EPG_A Consumes Provides Contract_DNS Contract_Internet Contract_SSL EPG_B Consumes Provides (Master: EPG_A) Contract_DNS Contract_Internet Contract_SSL Contract_TomCat EPG_C (Master: EPG_A) Consumes Contract_DNS Contract_Internet Provides Contract_SSL EPG_C only gets contracts from EPG_A BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 66

66 Changes to contract relations on EPG_A are inherited by EPG_B and EPG_C EPG_A Consumes Provides Contract_DNS Contract_Internet Contract_Ansible Contract_SSL New contract relation added only to EPG_A and automatically inherited by EPG_B and EPG_C EPG_B (Master: EPG_A) EPG_C (Master: EPG_A) Consumes Contract_DNS Contract_Internet Contract_Ansible Consumes Contract_DNS Contract_Internet Contract_Ansible Provides Contract_SSL Contract_TomCat Provides Contract_SSL BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 67

67 CONSUMES PROVIDES Contract Logging Denied Packets Logging Deny ACI can log implicit deny hits For Bare Metal, VMware VDS and MSFT Domains logs generated by Leaf For AVS logs may be generated on Leaf or vleaf For OpenStack ML2 mode, logs configured external to the fabric at the host Syslog is exported according to monitoring policies and configured External Data Collectors Logs include Tenant/VRF, EPG VLAN encap, ingress interfaces and offending packet details ACL deny not logged by default: Fabric -> Fabric Policies -> Monitoring Policies -> Common Policy -> Syslog Message Policies -> Policy for system syslog messages -> Change default to info VM MySQLAccess Subject: DB-Traffic Filter: Action: icmp allow tcp/3106 allow SIP: DIP: Proto: 6 sport:54135 dport:125 VM Software Dependency: supported on all software releases Hardware Dependency: supported on all hardware models Feb 04 10:26:54 troy-leaf1 %LOG_LOCAL7-6-SYSTEM_MSG [E ][transition][info][sys] %ACLLOG-5-ACLLOG_PKTLOG_DENY: CName: Test-Tenant:Test-Tenant-VRF(VXLAN: ), VlanType: FD_VLAN, Vlan-Id: 21, SMac: 0x b43a, DMac:0x0022bdf819ff, SIP: , DIP: , SPort: 54135, DPort: 125, Src Intf: port-channel2, Proto: 6, PktLen: 74 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 68

68 CONSUMES PROVIDES Contract Logging Permitted Packets Logging Permit Permit logging is configured per Filter For Bare Metal, VDS and MSFT Domains logs generated by Leaf For AVS logs may be generated on Leaf or vleaf For OpenStack ML2 mode, logs configured external to the fabric at the host Syslog is exported according to monitoring policies and configured External Data Collectors Logs include Tenant/VRF, EPG VLAN encap, ingress interfaces and offending packet details Software Dependency: 2.2(1n) or higher Hardware Dependency: requires EX models or newer VM MySQLAccess Subject: DB-Traffic Filter: Action: icmp allow log tcp/3106 allow log SIP: DIP: Proto: 1 sport:0 dport:0 Permit log configured at the subject on a per filter basis. VM Feb 04 10:14:44 troy-leaf1 %LOG_LOCAL7-6-SYSTEM_MSG [E ][transition][info][sys] %ACLLOG-5-ACLLOG_PKTLOG_PERMIT: CName: Test-Tenant:Test-Tenant-VRF(VXLAN: ), VlanType: FD_VLAN, Vlan-Id: 21, SMac: 0x b43a, DMac:0x0022bdf819ff, SIP: , DIP: , SPort: 0, DPort: 0, Src Intf: port-channel2, Proto: 1, PktLen: 98 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 69

69 Agenda ACI Fundamentals Review Micro Segmentation Fundamentals ACI Group Based Policy Model Deep dive into Micro EPG options Demo #1 Applying IP-Based uepgs to segment BM and VM Demo #2 Using useg for Automated Application Deployment

70 Micro EPGs allow grouping of endpoints based on their attributes, rather than an encapsulation. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 71

71 Understanding Micro EPGs Base EPG based on port and encapsulation (i.e VLAN or VXLAN) A MicroEPG (uepg) is equivalent to a regular EPG for all purposes, but classification is based on endpoint attributes (and dynamic in nature) Endpoints assigned to the uepg regardless of the encapsulation/port The endpoint must be first known to a regular EPG, called base EPG EPG GREEN BM f4:5c:89:b2:bf:cb BM f4:5c:89:b2:ab:cd VM BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 72

72 Understanding Micro EPGs Base EPG based on port and encapsulation (i.e VLAN or VXLAN) A MicroEPG (uepg) is equivalent to a regular EPG for all purposes, but classification is based on endpoint attributes (and dynamic in nature) Endpoints assigned to the uepg regardless of the encapsulation/port The endpoint must be first known to a regular EPG, called base EPG EPG GREEN BM f4:5c:89:b2:bf:cb uepg MyDB BM f4:5c:89:b2:ab:cd VM Define uepg based on MAC. Example: Select MAC=f4:5c:89:b2:bf:cb BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 73

73 Understanding Micro EPGs A MicroEPG (uepg) is equivalent to a regular EPG for all purposes, but classification is based on endpoint attributes (and dynamic in nature) Endpoints assigned to the uepg regardless of the encapsulation/port The endpoint must be first known to a regular EPG, called base EPG EPG GREEN uepg MyDB BM f4:5c:89:b2:bf:cb Define uepg based on VM attributes. Example: VM-name=VM-01 BM f4:5c:89:b2:ab:cd VM uepg Quarantine BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 74

74 Micro EPGs are attribute-based EPGs BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 75

75 Micro EPGs are attribute-based EPGs New attribute called isattrbasedepg in fvaepg. Admin has to explicitly specify a given EPG is an attributed based EPG or not. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 76

76 Micro EPGs are attribute-based EPGs New attribute called isattrbasedepg in fvaepg. Admin has to explicitly specify a given EPG is an attributed based EPG or not. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 77

77 Micro EPGs are attribute-based EPGs isattrbasedepg = no New attribute called isattrbasedepg in fvaepg. Admin has to explicitly specify a given EPG is an attributed based EPG or not. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 78

78 Micro EPGs are attribute-based EPGs isattrbasedepg = no New attribute called isattrbasedepg in fvaepg. Admin has to explicitly specify a given EPG is an attributed based EPG or not. isattrbasedepg = yes BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 79

79 Micro EPGs are attribute-based EPGs An object fvcrtrn defines the criteria - i.e. attributes that select endpoints into this group. New attribute called isattrbasedepg in fvaepg. Admin has to explicitly specify a given EPG is an attributed based EPG or not. isattrbasedepg = no isattrbasedepg = yes BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 80

80 Classification possibilities depend on the type of endpoint. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 81

81 For endpoints connected to Physical Domains (bare metal) you can use the IP or MAC addresses. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 82

82 PhysDom (Bare Metal) with MAC Address MAC Micro EPGs considerations on PhysDoms Base EPG must be configured and deployed to program VLANs on leaf host ports Base EPG & MAC uepg must associate with same BD MAC uepg must be deployed by using node attachment on all the nodes where BD is deployed Deployment Immediacy must be Immediate VRF must be configured for ingress policy enforcement mode otherwise fault will be raised Software Dependency: 2.1(1h) Hardware Dependency: E-Series or newer BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 83

83 PhysDom (Bare Metal) with IP Addresses IP Micro EPGs considerations on PhysDoms Base EPG must be configured and deployed to program VLANs on leaf host ports Base EPG & IP uepg must associate with same BD. BD MUST have subnet configured. IP uepg must be deployed by using node attachment on all the nodes where BD is deployed Deployment Immediacy must be Immediate You can specify individual IP addresses and/or subnets (i.e , /24) Software Dependency: 1.2(x) Hardware Dependency: E-Series or newer Caveat: No bridged traffic will be enforced based on the IP-EPG classification BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 84

84 For endpoints connected to VMware or Microsoft VMM Domains you can use the IP, MAC or VM-attributes. Note: uepg support for Red Hat Virtualization is a roadmap item BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 85

85 Micro EPGs with Microsoft Hyper-V 1. Start with a Base EPG Hyper-V EPG GREEN (vlan-100) ubuntu-01 centos-01 ubuntu-02 centos-02 Base EPG GREEN mapped to Microsoft VMM Domain defines vswitch Network and base encapsulation OpFlex VM Network GREEN (trunk) MSFT vswitch OpFlex GREEN (vlan-100) GREEN (vlan-100) Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 86

86 Micro EPGs with Microsoft Hyper-V 2. Configure uepgs Hyper-V BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 87

87 Micro EPGs with Microsoft Hyper-V 2. Configure uepgs Hyper-V 1.- We define a new uepg called Ubuntu-VM and map it to the MSFT VMM Domain. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 88

88 Micro EPGs with Microsoft Hyper-V 2. Configure uepgs Hyper-V 1.- We define a new uepg called Ubuntu-VM and map it to the MSFT VMM Domain. 2.- We define attributes to match, in this example, matching on the VM Operating System (Ubuntu Linux) BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 89

89 Micro EPGs with Microsoft Hyper-V 2. Configure uepgs Hyper-V 1.- We define a new uepg called Ubuntu-VM and map it to the MSFT VMM Domain. 2.- We define attributes to match, in this example, matching on the VM Operating System (Ubuntu Linux) The uepg will use a new encapsulation, communicated to the vswitch using OpFlex BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 90

90 Micro EPGs with Microsoft Hyper-V 3. VM classified according to attributes Hyper-V EPG GREEN (vlan-100) ubuntu-01 centos-01 ubuntu-02 centos-02 EPG GREEN (vlan-100) ubuntu-01 centos-01 ubuntu-02 centos-02 OpFlex VM Network GREEN (trunk) MSFT vswitch OpFlex OpFlex VM Network GREEN (trunk) MSFT vswitch OpFlex GREEN (vlan-100) GREEN (vlan-100) GREEN (vlan-100) GREEN (vlan-100) Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 91

91 Micro EPGs with Microsoft Hyper-V 3. VM classified according to attributes uepg UBUNTU (vlan-102) Hyper-V EPG GREEN (vlan-100) ubuntu-01 centos-01 ubuntu-02 centos-02 EPG GREEN (vlan-100) ubuntu-01 centos-01 ubuntu-02 centos-02 OpFlex Ubuntu VMs now cannot communicate with CentOS VM and VM Network GREEN (trunk) vice versa MSFT vswitch OpFlex (no contract) MSFT vswitch OpFlex OpFlex VM Network GREEN (trunk) GREEN (vlan-100) GREEN (vlan-100) GREEN (vlan-100) Ubuntu (vlan-102) GREEN (vlan-100) Ubuntu (vlan-102) Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 92

92 Micro EPG Support with vsphere VDS 1. Start with Base EPG, enable MicroSeg vsphere dvportgroup GREEN (PVLAN p-3012, s-3019) VMware VDS Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 93

93 Micro EPG Support with vsphere VDS 1. Start with Base EPG, enable MicroSeg vsphere EPG GREEN ubuntu-01 centos-01 ubuntu-02 centos-02 dvportgroup GREEN (PVLAN p-3012, s-3019) VMware VDS Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 94

94 Micro EPG Support with vsphere VDS 1. Start with Base EPG, enable MicroSeg vsphere Must be True! EPG GREEN ubuntu-01 centos-01 ubuntu-02 centos-02 dvportgroup GREEN (PVLAN p-3012, s-3019) VMware VDS Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 95

95 Micro EPG Support with vsphere VDS 1. Start with Base EPG, enable MicroSeg vsphere Must be True! EPG GREEN ubuntu-01 centos-01 ubuntu-02 centos-02 dvportgroup GREEN (PVLAN p-3012, s-3019) VMware VDS Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 96

96 Micro EPG Support with vsphere VDS 1. Start with Base EPG, enable MicroSeg vsphere Must be True! EPG GREEN ubuntu-01 centos-01 ubuntu-02 centos-02 APIC will then configure the dvportgroup as an isolated PVLAN dvportgroup GREEN (PVLAN p-3012, s-3019) VMware VDS Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 97

97 Micro EPG Support with vsphere VDS 1. Start with Base EPG, enable MicroSeg vsphere Must be Immediate! Must be True! EPG GREEN ubuntu-01 centos-01 ubuntu-02 centos-02 APIC will then configure the dvportgroup as an isolated PVLAN dvportgroup GREEN (PVLAN p-3012, s-3019) VMware VDS Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 98

98 Micro EPG Support with vsphere VDS 1. Start with Base EPG, enable MicroSeg vsphere Must be Immediate! Must be True! EPG GREEN ubuntu-01 centos-01 ubuntu-02 centos-02 APIC will then configure the dvportgroup as an isolated PVLAN dvportgroup GREEN (PVLAN p-3012, s-3019) VMware VDS GREEN (v-3012/3019) GREEN (v-3012/3019) Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 99

99 Micro EPG Support with vsphere VDS 1.1 Base EPG is working as normal EPG vsphere EPG GREEN ubuntu-01 centos-01 ubuntu-02 centos-02 dvportgroup GREEN (PVLAN p-3012, s-3019) VMware VDS GREEN (v-3012/3019) GREEN (v-3012/3019) Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 100

100 Micro EPG Support with vsphere VDS 1.1 Base EPG is working as normal EPG vsphere EPG GREEN ubuntu-01 centos-01 ubuntu-02 centos-02 dvportgroup GREEN (PVLAN p-3012, s-3019) VMware VDS Communication between endpoints inside the EPG is allowed at the Leaf. Proxy-ARP enabled. GREEN (v-3012/3019) GREEN (v-3012/3019) Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 101

101 Micro EPG Support with vsphere VDS 2. Configure uepg based on attributes vsphere 1. Define uepg and map to the same VMM Domain and BD as Base EPG Must be Immediate! 2. Map uepg to the required leafs (where ESXi servers are connected) BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 102

102 Micro EPG Support with vsphere VDS 2. Configure uepg based on attributes vsphere 3. Configure the required attributes We define attributes to match, in this example, matching on the VM Operating System (Ubuntu Linux) BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 103

103 Micro EPG Support with vsphere VDS 3. VM is classified according to attributes vsphere uepg UBUNTU EPG GREEN ubuntu-01 centos-01 ubuntu-02 centos-02 uepg UBUNTU uepg Ubuntu vm-1 vm-2 MAC Address 00:50:56:AD:15:2E 00:50:56:AD:15:1F dvportgroup GREEN (PVLAN p-3012, s-3019) GREEN (v-3012/3019) Ubuntu (mac-list) VMware VDS GREEN (v-3012/3019) Ubuntu (mac-list) VM name: ubuntu-01 IP: MAC: 00:50:56:AD:15:2E VM name: ubuntu-02 IP: MAC: 00:50:56:AD:15:1F Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 104

104 Micro EPG Support with vsphere VDS Details Micro EPG Considerations on vsphere VDS Under base EPG you must enable useg EPG for vds. This is only required if using useg with VDS. When EPG is mapped to VMM domain, it will change vds and port-group configuration: PVLAN will be enabled. Port-group uses secondary VLAN (isolated), which is same with intra-epg isolation. Proxy-ARP is automatically enabled on base EPG (this is only supported in EX-models) PVLAN configuration is only to force all traffic to flow through Leaf. You can create uepg with attribute classification and map to the same VMM domain: Even though we use VM attribute, since APIC knows VM name and other info (IP, MAC) from vcenter and data plane, APIC will find the MAC address of the VM. Leaf will use MAC address for useg EPG classification. Software Dependency: 1.3(1g) Hardware Dependency: EX-Series or newer BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 105

105 Micro EPG with AVE functions in a way similar to both Microsoft and VDS BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 106

106 An EPG and a uepg can be mapped to multiple different Domains (Virtual or Physical). BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 107

107 Supported Attributes for Micro EPG Classification Attribute support depends on Domain type. For VMM domains, some attributes are vendor specific (i.e. vsphere Tags) Refer to Release Notes and Virtualization Configuration Guide for latest information Supported attributes as of 3.1 Attributes Type Example Domains MAC Address Network 5c:01:23:ab:cd:ef Phys, VMW, MSFT IP Address Network / VNic Dn (vnic domain name) VM Phys, VMQ, MSFT A1:23:45:67:89:0b VMW, MSFT VM Identifier VM vm-598 VMW, MSFT VM Name VM HR_UI_WEB VMW, MSFT Hypervisor Identifier VM esxi-host-01 VMW, MSFT VMM Domain VM AVS-VMM-DC1 VMW, MSFT Datacenter VM BRU-DC VMW, MSFT Guest Operating System VM Windows 2008 VMW, MSFT Custom Attribute VM AppTier=Web VMW, MSFT vsphere TAGs VM PROD:ENV VMW DNS Network acme.app.com (experimental) BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 108

108 You can configure multiple attributes to select endpoints for a Micro EPG. APIC implements Logical Operators for this since release 2.3. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 109

109 uepgs with Attributes and Logical Operators - GUI Configuration (1/2) BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 110

110 uepgs with Attributes and Logical Operators - GUI Configuration (1/2) Select new useg Attributes folder under each specific uepg BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 111

111 uepgs with Attributes and Logical Operators - GUI Configuration (1/2) Select new useg Attributes folder under each specific uepg Click on + to add additional attributes to Match Any/All. Or click +( to add additional sections. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 112

112 uepgs with Attributes and Logical Operators - GUI Configuration (1/2) Select new useg Attributes folder under each specific uepg BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 113

113 uepgs with Attributes and Logical Operators - GUI Configuration (1/2) Select Match Any for OR Logic. Select new useg Attributes folder under each specific uepg Select Match All for AND Logic. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 114

114 uepgs with Attributes and Logical Operators - GUI Configuration (2/2) Selects VMs with Tag APP:OpenCart-Apache, or VMs with Custom Attribute app-tier=app1-app as long as they are running on vcenter DC1-EAST datacenter BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 115

115 uepg Match Precedence Attribute combinations may select a VM to be on multiple EPGs at once Match Precedence selects the winner Higher precedence wins BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 116

116 Some important things to keep in mind when using Micro EPGs BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 117

117 Considerations when using Micro EPG Be careful when using VM-attributes: Most attributes will imply immediate action on APIC, others (like vsphere Tags) rely on polling, will take longer to action. If a VM with multiple vnic is classified, all vnic may be on the same uepg. Ensure you select vnic-id if using multiple vnics or use IP/MAC attributes instead. Use of Intra-EPG contracts assumes you can use proxy-arp and no flooding is required. Watch out for applications that may require flooding. When using uepg on VDS, currently there are some caveats SPAN filtering is at base EPG level, not per uepg Stats are aggregated at base EPG level, not per uepg BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 118

118 Agenda ACI Fundamentals Review Micro Segmentation Fundamentals ACI Group Based Policy Model Deep dive into Micro EPG options Demo #1 Applying IP-Based uepgs to segment BM and VM Demo #2 Using useg for Automated Application Deployment

119 Demo #1 EPG Classification based on IP Address

120 [Flexibly] Classify based on IP Subnet Two subnets: One for application Virtual Machines One for Data Bases, Virtual and Physical Subnet /24 We want to ensure classification based on IP subnet, regardless of encapsulation Subnet /254 We want to keep maximum flexibility to group endpoints regardless of subnet BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 121

121 ACI Logical Design Single BD, two Base EPG Subnet advertisement control: DB subnet not advertised EPG1 and EPG2 configured for IntraEPG-Isolation Proxy-ARP enabled No communication allowed in base EPGs Base EPG mapped to PHYSDOM and VMMDOM as required BD: ACME-BD /24, advertise, share /24, private, share Base EPG1 Mapped to VMM Domain Base EPG2 Mapped to VMM and Physical Domain BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 122

122 ACI Logical Design uepg to classify on IP Subnet Create uepg for each of the subnets (match on IP Subnet) Map EPGs to the corresponding VMM and PhysDoms Endpoints connected to EPG1 and EPG2 with IP address matching the subnets will be placed in the correct uepg have connectivity Endpoints with wrong IP address will have no connectivity at all BD: ACME-BD /24, advertise, share /24, private, share uepg net-41 Match IP /24 Mapped to VMM Base EPG1 Mapped to VMM Domain Base EPG2 Mapped to VMM and Physical Domain uepg net-51 Match IP /24 Mapped to VMM & Phys BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 123

123 ACI Logical Design - Details Contracts configured to allow access to shared services from base EPG. BD: ACME-BD /24, advertise, share /24, private, share Consume Contract Provide EPG1, EPG2 EPG1, EPG2 proxy-access (icmp, tcp/3128) Ansible-Provisioning (icmp, tcp/22) ExternalAccess (tn-common) AnsibleServer (tn-common) Ansible Server Base EPG1 (isolated) Mapped to VMM Domain Base EPG2 (isolated) Mapped to VMM and Physical Domain N9K Leaf VMware VDS EPG2: vlan-1755 EPG2: vlan-1755 dvportgroup EPG1 dvportgroup EPG2 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 124

124 ACI Logical Design - Details Contracts will allow our provisioning system access to endpoints on the base EPG. BD: ACME-BD /24, advertise, share /24, private, share Consume Contract Provide EPG1, EPG2 EPG1, EPG2 proxy-access (icmp, tcp/3128) Ansible-Provisioning (icmp, tcp/22) ExternalAccess (tn-common) AnsibleServer (tn-common) Ansible Server Base EPG1 (isolated) Mapped to VMM Domain Base EPG2 (isolated) Mapped to VMM and Physical Domain N9K Leaf VMware VDS EPG2: vlan-1755 EPG2: vlan-1755 dvportgroup EPG1 dvportgroup EPG2 Isolated EPG block all other communication BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 125

125 ACI Logical Design Details with uepgs BD: ACME-BD /24, advertise, share /24, private, share Consume Contract Provide EPG1, EPG2, proxy-access ExternalAccess EPG1, EPG2 proxy-access ExternalAccess net-41, net-51 (icmp, tcp/3128) (tn-common) (icmp, tcp/3128) (tn-common) EPG1, EPG2, Ansible-Provisioning AnsibleServer EPG1, EPG2 Ansible-Provisioning AnsibleServer net-41, net-51 (icmp, tcp/22) (tn-common) (icmp, tcp/22) (tn-common) Base EPG1 (isolated) Mapped to VMM Domain Base EPG2 (isolated) Mapped to VMM and Physical Domain N9K Leaf VMware VDS EPG2: vlan-1755 EPG2: vlan-1755 dvportgroup EPG1 dvportgroup EPG2 web uepg net-41 web db db uepg net-51 Sql Sql BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 126

126 ACI Logical Design Details with uepgs BD: ACME-BD /24, advertise, share /24, private, share Consume Contract Provide EPG1, EPG2, net-41, net-51 EPG1, EPG2, net-41, net-51 proxy-access (icmp, tcp/3128) Ansible-Provisioning (icmp, tcp/22) ExternalAccess (tn-common) AnsibleServer (tn-common) Base EPG1 (isolated) Mapped to VMM Domain Base EPG2 (isolated) Mapped to VMM and Physical Domain N9K Leaf VMware VDS EPG2: vlan-1755 EPG2: vlan-1755 dvportgroup EPG1 dvportgroup EPG2 web uepg net-41 web db db uepg net-51 Sql Sql BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 127

127 ACI Logical Design Classification done on IP, not PortGroup BD: ACME-BD /24, advertise, share /24, private, share Consume Contract Provide EPG1, EPG2, net-41, net-51 EPG1, EPG2, net-41, net-51 proxy-access (icmp, tcp/3128) Ansible-Provisioning (icmp, tcp/22) ExternalAccess (tn-common) AnsibleServer (tn-common) Base EPG1 (isolated) Mapped to VMM Domain Base EPG2 (isolated) Mapped to VMM and Physical Domain uepg configuration is not using isolation. Traffic is allowed. N9K Leaf VMware VDS EPG2: vlan-1755 EPG2: vlan-1755 dvportgroup EPG1 dvportgroup EPG2 web uepg net-41 web db db uepg net-51 Sql Sql BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 128

128 vcenter ACI Logical Design Classification works across PODs DC1 IP connectivity DC2 L2/L3 Cluster-01 web uepg net-41 web db db uepg net-51 Sql Sql BD: ACME-BD /24, advertise, share /24, private, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 129

129 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

130 Demo #1 Summary Decouple encapsulation configurations (Port-to-VLAN, PortGroup) from actual workload segmentation. Subnet-based segmentation with complete flexibility. Select entire subnets Select individual IPs, etc. Works across Bare Metal and Virtualization (VMware and Microsoft today) Combine with Contracts to provide distributed L3-4 Security BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 131

131 Video and Ansible playbooks for demo #1 Ansible Playbooks: Demo Video: BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 132

132 Demo #2 Using VM Attributes, IP EPGs and Automated deployments

133 Note: for this example we will use Ansible for automation. Similar automation can be accomplished using other tools and/or a Cloud Management Platform. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 134

134 We will provision a simple PHP application that uses virtual machines and bare metal servers. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 135

135 Acme s Application CentOS running PHP App on Apache HAProxy with Keepalived SQL DB Clustered HTTPS HTTP SQL Virtualized w/ VMware Bare Metal BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 136

136 Acme s Application Network Design WEB APP FRONTEND SERVER SUBNET DB SUBNET Physical SQL Databases FRONTEND and WEB Tiers run as VMs and share a subnet Traffic between FRONTEND and WEB must be filtered WEB applications require data from a DB running on a bare metal server White-List Model Approach to security (zero-trust) BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 137

137 Basic ACI Design Constructs Objects shared from common tenant Squid-Proxy We will use a Shared L3Out. General EPG for default, specific for restricting access to local proxy or repo. tn-common Ansible Server L3Out External Access Proxy-Access / /32 Exported Contract Interface (automatically enable VRF-leaking) Ansible-Provision MyAcmeApp proxy-access Global contracts from tn-common to be consumed by user tenants. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 138

138 Basic ACI Design Constructs AcmeTenant tn-acmetenant Web and LB VMs Base EPG programmed with IntraEPG Isolation. Mapped to VMM Domain to creates dvportgroup Physical Data Base Servers Base EPG programmed with IntraEPG Isolation (if no flooding required). Mapped to PhysDom and static path or AEP Common tenant services EPG: ServerNetwork (isolated) Mapped to VMM Domain EPG: DBNetwork Mapped to Physical Domain Monitoring DHCP & DNS BD: ACME-BD /24, advertise, share BD: DB-BD /24, private, share BD: INFRA-BD /24, private, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 139

139 Basic ACI Design Constructs AcmeTenant Base Contracts BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 140

140 Basic ACI Design Constructs AcmeTenant Base Contracts Exported from tn-common Consumed Contract Interface from all tenant EPGs Allows tcp/22 and ICMP BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 141

141 Basic ACI Design Constructs AcmeTenant Base Contracts Global contract from tn-common Consumed by all EPGs Allows tcp/3128 and ICMP Exported from tn-common Consumed Contract Interface from all tenant EPGs Allows tcp/22 and ICMP BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 142

142 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server VMware VDS (VMM-ACI-DC1) vsphere CLUSTER BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 143

143 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 144

144 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server Proxy-Access /32 VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 145

145 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server Proxy-Access /32 EPG: DBNetwork Mapped to Physical Domain VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 146

146 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server Proxy-Access /32 EPG: DBNetwork Mapped to Physical Domain VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER EPG: ServerNetwork (isolated) Mapped to VMM Domain BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 147

147 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy EPG Consume Contract EPG Provide ServerNetwork DBNetwork ServerNetwork DBNetwork ServerNetwork DBNetwork ServerNetwork DBNetwork proxy-access (icmp, tcp/3128) Ansible-Provisioning (icmp, tcp/22) DNS (udp/53, tcp/53) NAGIOS (tcp/80, udp/162, udp/163) Proxy-Access (tn-common) AnsibleServer (tn-common) DNS Monitoring ACI Leaf vpc Pairs Ansible Server Proxy-Access /32 EPG: DBNetwork Mapped to Physical Domain VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER EPG: ServerNetwork (isolated) Mapped to VMM Domain BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 148

148 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy EPG Consume Contract EPG Provide ServerNetwork DBNetwork ServerNetwork DBNetwork ServerNetwork DBNetwork ServerNetwork DBNetwork proxy-access (icmp, tcp/3128) Ansible-Provisioning (icmp, tcp/22) DNS (udp/53, tcp/53) NAGIOS (tcp/80, udp/162, udp/163) Proxy-Access (tn-common) AnsibleServer (tn-common) DNS Monitoring ACI Leaf vpc Pairs Ansible Server Proxy-Access /32 EPG: DBNetwork Mapped to Physical Domain VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER EPG: ServerNetwork (isolated) Mapped to VMM Domain BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 149

149 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy EPG Consume Contract EPG Provide ServerNetwork DBNetwork ServerNetwork DBNetwork ServerNetwork DBNetwork ServerNetwork DBNetwork proxy-access (icmp, tcp/3128) Ansible-Provisioning (icmp, tcp/22) DNS (udp/53, tcp/53) NAGIOS (tcp/80, udp/162, udp/163) Proxy-Access (tn-common) AnsibleServer (tn-common) DNS Monitoring ACI Leaf vpc Pairs Ansible Server Proxy-Access /32 EPG: DBNetwork Mapped to Physical Domain VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER EPG: ServerNetwork (isolated) Mapped to VMM Domain BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 150

150 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 151

151 Deploying the New Application - using uepg to classify workloads (1/3) tn-acmetenant uepg: FRONTEND Master: ServerNetwork BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 152

152 Deploying the New Application - using uepg to classify workloads (1/3) Intra EPG Isolation Unenforced Contract Master: ServerNetwork Match Precedence: 100 tn-acmetenant uepg: FRONTEND Master: ServerNetwork BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 153

153 Deploying the New Application - using uepg to classify workloads (1/3) Intra EPG Isolation Unenforced Contract Master: ServerNetwork Match Precedence: 100 tn-acmetenant uepg: FRONTEND Master: ServerNetwork Select based on VM name High match precedence to ensure VM is not wrongly classified elsewhere BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 154

154 Deploying the New Application - using uepg to classify workloads (1/3) Intra EPG Isolation Unenforced Contract Master: ServerNetwork Match Precedence: 100 tn-acmetenant uepg: FRONTEND Master: ServerNetwork Select based on VM name High match precedence to ensure VM is not wrongly classified elsewhere BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 155

155 Deploying the New Application - using uepg to classify workloads (2/3) tn-acmetenant uepg: FRONTEND Master: ServerNetwork BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 156

156 Deploying the New Application - using uepg to classify workloads (2/3) tn-acmetenant uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork BD: ACME-BD /24, advertise, Intra share EPG Isolation Enforced Contract Master: ServerNetwork Match Precedence: 10 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 157

157 Deploying the New Application - using uepg to classify workloads (2/3) tn-acmetenant uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork BD: ACME-BD /24, advertise, Intra share EPG Isolation Enforced Contract Master: ServerNetwork Match Precedence: 10 Classify a VM if it carries: app:myacmeapp tier: web env:prod AND runs in VMM-ACI-DC1 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 158

158 Deploying the New Application - using uepg to classify workloads (2/3) tn-acmetenant uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork BD: ACME-BD /24, advertise, Intra share EPG Isolation Enforced Contract Master: ServerNetwork Match Precedence: 10 Classify a VM if it carries: app:myacmeapp tier: web env:prod AND runs in VMM-ACI-DC1 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 159

159 Deploying the New Application - using uepg to classify workloads (3/3) tn-acmetenant uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork uepg: DB-PROD Master: DBNetwork BD: ACME-BD /24, advertise, share BD: DB-BD /24, private, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 160

160 Deploying the New Application - using uepg to classify workloads (3/3) tn-acmetenant uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork uepg: DB-PROD Master: DBNetwork BD: ACME-BD /24, advertise, share BD: DB-BD Intra EPG Isolation Enforced /24, private, share Contract Master: DBNetwork Match Precedence: 10 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 161

161 Deploying the New Application - using uepg to classify workloads (3/3) tn-acmetenant uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork uepg: DB-PROD Master: DBNetwork BD: ACME-BD /24, advertise, share BD: DB-BD Intra EPG Isolation Enforced /24, private, share Contract Master: DBNetwork Match Precedence: 10 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 162

162 Deploying the New Application - using uepg to classify workloads (3/3) tn-acmetenant uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork uepg: DB-PROD Master: DBNetwork BD: ACME-BD /24, advertise, share BD: DB-BD Intra EPG Isolation Enforced /24, private, share Contract Master: DBNetwork Match Precedence: 10 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 163

163 Deploying the New Application - Leveraging Contract Inheritance uepgs configured to inherit contracts from base EPG BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 164

164 Deploying the New Application - Application specific contracts Restrict access as required for each application tier BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 165

165 Deploying the New Application - Handling HAProxy Redundancy HAProxy redundancy using KeepAlived VIP Address for the application Based on VRRP. Can work with unicast or multicast. We will use unicast mode. uepg: FRONTEND Master: ServerNetwork ACTIVE BACKUP VIP IntraEPG Contract: allow IP protocol 112 (VRRP) BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 166

166 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server External-Access /0 VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 167

167 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server External-Access /0 uepg: DB-PROD VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 168

168 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server External-Access /0 uepg: DB-PROD VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 169

169 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server External-Access /0 uepg: DB-PROD VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER uepg: FRONTEND BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 170

170 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server External-Access /0 uepg: DB-PROD VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER uepg: FRONTEND uepg: WEB-PROD BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 171

171 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server External-Access /0 uepg: DB-PROD VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER uepg: FRONTEND uepg: WEB-PROD BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 172

172 Demo Design Lab Details EPG Consume Contract EPG Provide ExternalAccess (tn-common) MyAcmeApp (icmp, tcp/80, tcp/443) FRONTEND DC1 ACI POD1 ExternalAccess (tn-common) HAPROXY-STATS (tcp/8181) FRONTEND Squid-Proxy FRONTEND FRONTEND KEEPALIVED-VRRP (ip-112) HTTP (tcp/80, icmp) FRONTEND WEB-PROD WEB-PROD MYSQL (tcp/3306, icmp) DB-PROD External-Access /0 ACI Leaf vpc Pairs Ansible Server VMware VDS (VMM-ACI-DC1) vsphere CLUSTER dvportgroup ServerNetwork uepg: DB-PROD uepg: FRONTEND uepg: WEB-PROD BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 173

173 Demo Design Lab Details EPG Consume Contract EPG Provide ExternalAccess (tn-common) MyAcmeApp (icmp, tcp/80, tcp/443) FRONTEND DC1 ACI POD1 ExternalAccess (tn-common) HAPROXY-STATS (tcp/8181) FRONTEND Squid-Proxy FRONTEND FRONTEND KEEPALIVED-VRRP (ip-112) HTTP (tcp/80, icmp) FRONTEND WEB-PROD WEB-PROD MYSQL (tcp/3306, icmp) DB-PROD External-Access /0 ACI Leaf vpc Pairs Ansible Server VMware VDS (VMM-ACI-DC1) vsphere CLUSTER dvportgroup ServerNetwork uepg: DB-PROD uepg: FRONTEND uepg: WEB-PROD BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 174

174 Demo Design Lab Details EPG Consume Contract EPG Provide ExternalAccess (tn-common) MyAcmeApp (icmp, tcp/80, tcp/443) FRONTEND DC1 ACI POD1 ExternalAccess (tn-common) HAPROXY-STATS (tcp/8181) FRONTEND Squid-Proxy FRONTEND FRONTEND KEEPALIVED-VRRP (ip-112) HTTP (tcp/80, icmp) FRONTEND WEB-PROD WEB-PROD MYSQL (tcp/3306, icmp) DB-PROD External-Access /0 ACI Leaf vpc Pairs Ansible Server VMware VDS (VMM-ACI-DC1) vsphere CLUSTER dvportgroup ServerNetwork uepg: DB-PROD uepg: FRONTEND uepg: WEB-PROD BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 175

175 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 176

176 Let s see how this extends to more than one DC with Multi-POD DC1 ACI POD1 IP connectivity DC2 ACI POD2 Proxy-Access /32 VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork vcenter-dc1 vcenter-dc2 vsphere CLUSTER DEV VMware VDS (VMM-ACI-DC2) dvportgroup ServerNetwork BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 177

177 We can launch VMs on DC2 that are connected to the same ServerNetwork, have same policies DC1 ACI POD1 IP connectivity DC2 ACI POD2 Ansible Server Proxy-Access /32 VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork vcenter-dc1 vcenter-dc2 vsphere CLUSTER DEV VMware VDS (VMM-ACI-DC2) dvportgroup ServerNetwork EPG: ServerNetwork (isolated) Mapped to VMM Domain BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 178

178 We can create new uepgs to allow specific policies for our development environment DC1 ACI POD1 IP connectivity DC2 ACI POD2 Proxy-Access /32 VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork vcenter-dc1 vcenter-dc2 vsphere CLUSTER DEV VMware VDS (VMM-ACI-DC2) dvportgroup ServerNetwork uepg: WEB-DV Master: ServerNetwork BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 179

179 We can create new uepgs to allow specific policies for our development environment DC1 ACI POD1 IP connectivity DC2 ACI POD2 Proxy-Access /32 VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork vcenter-dc1 vcenter-dc2 vsphere CLUSTER DEV VMware VDS (VMM-ACI-DC2) dvportgroup ServerNetwork uepg: WEB-DV Master: ServerNetwork BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 180

180 We can create new uepgs to allow specific policies for our development environment DC1 ACI POD1 IP connectivity DC2 ACI POD2 Proxy-Access /32 VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork vcenter-dc1 vcenter-dc2 vsphere CLUSTER DEV When development is completed, we can TAG the VM to go in production VMware VDS (VMM-ACI-DC2) dvportgroup ServerNetwork uepg: WEB-DV Master: ServerNetwork BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 181

181 Promote workload into production by setting the right VM attributes and vmotion to right cluster DC1 ACI POD1 IP connectivity DC2 ACI POD2 Proxy-Access /32 VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork vcenter-dc1 vcenter-dc2 vsphere CLUSTER DEV VMware VDS (VMM-ACI-DC2) dvportgroup ServerNetwork uepg: WEB-DV Master: ServerNetwork BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 182

182 Promote workload into production by setting the right VM attributes and vmotion to right cluster DC1 ACI POD1 IP connectivity DC2 ACI POD2 Proxy-Access /32 VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork vcenter-dc1 vcenter-dc2 vsphere CLUSTER DEV VMware VDS (VMM-ACI-DC2) dvportgroup ServerNetwork uepg: WEB-DV Master: ServerNetwork BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 183

183 Promote workload into production by setting the right VM attributes and vmotion to right cluster DC1 ACI POD1 IP connectivity DC2 ACI POD2 Proxy-Access /32 VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork vcenter-dc vcenter-dc2 vsphere CLUSTER DEV VMware VDS (VMM-ACI-DC2) dvportgroup ServerNetwork uepg: WEB-DV Master: ServerNetwork When the VM has all correct attributes AND moves to DC1, it goes into production BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 184

184 Promote workload into production by setting the right VM attributes and vmotion to right cluster DC1 ACI POD1 IP connectivity DC2 ACI POD2 Proxy-Access /32 Load Balancer can be updated by orchestrator and/or pull endpoints from uepg VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork vcenter-dc vcenter-dc2 vsphere CLUSTER DEV VMware VDS (VMM-ACI-DC2) dvportgroup ServerNetwork uepg: WEB-DV Master: ServerNetwork When the VM has all correct attributes AND moves to DC1, it goes into production BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 185

185 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 186

186 Demo #2 Summary Benefits of ACI Micro Segmentation Combined with Automation Leverage programmable network virtualization and policy to perform complete automation of application rollouts. Seamless segmentation for bare metal and virtual: no bottlenecks. Can use the automation tools of your choice. In the demo using open source Ansible. Orchestration layer needs minimal network knowledge. Works for Microsoft SCVMM, VMware vcenter and bare metal today Network Admin maintains full visibility. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 187

187 Video and Ansible playbooks for demo #2 Ansible Playbooks: Demo Videos: Video Video Video BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 188

188 Reflect for a moment on how would you accomplish the same thing if running a traditional network

189 By using ACI, the Ansible playbook has no need to keep details of any rack, any switch, any port, any VLAN, any IP Address BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 190

190 ACI enables micro segmentation that you can deploy in a gradual and flexible way. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 191

191 Some people will do static configurations using the GUI or the NX-OS CLI BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 192

192 and others will use automation tools BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 193

193 But you can certainly do a bit of both. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 194

194 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 195

195 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkaci Cisco and/or its affiliates. All rights reserved. Cisco Public

196 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public