Practical Applications of Cisco ACI Micro Segmentation
|
|
- Antony Hunt
- 5 years ago
- Views:
Transcription
1
2 BRKACI-2301 Practical Applications of Cisco ACI Micro Principal Engineer INSBU
3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkaci Cisco and/or its affiliates. All rights reserved. Cisco Public
4 Session Objectives Explain the ACI features that enable Micro Segmentation Provide you ideas of how to use these features Show you these features working on simple yet practical examples BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 5
5 Agenda ACI Fundamentals Review Micro Segmentation Fundamentals ACI Group Based Policy Model Deep dive into Micro EPG options Demo #1 Applying IP-Based uepgs to segment BM and VM Demo #2 Using useg for Automated Application Deployment
6 Application Centric Infrastructure Single Point of Management with full FCAPS Network Virtualization Integrated Security Distributed L2/L3 across the fabric, across different sites Seamless networking for physical, storage, VMs and Containers Distributed Programmable Policy Micro Segmentation L4-7 Service Chaining Virtualization Support VMware vcenter Virtual Switch External L2/L3 Ecosystem Cisco ACI App Center Microsoft SCVMM +65 Ecosystem Partners Red Hat Virtualization Cloud Management Integration OpenStack Kubernetes BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 7
7 Cisco ACI: Industry Leader 4, % 65+ ACI Customers ACI Attach Rate Ecosystem Partners Ecosystem Partners BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 8
8 ACI Anywhere Any Workload, Any Location, Any Cloud ACI ANYWHERE Remote PoD Multi-Pod / Multi-Site Hybrid Cloud Extension IP WAN IP WAN Remote Location On Premise Public Cloud Security Everywhere Analytics Everywhere Policy Everywhere BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 9
9 Agenda ACI Fundamentals Review Micro Segmentation Fundamentals ACI Group Based Policy Model Deep dive into Micro EPG options Demo #1 Applying IP-Based uepgs to segment BM and VM Demo #2 Using useg for Automated Application Deployment
10 What do we mean by Micro Segmentation?
11 Segment 4 Segment 2 What is Micro Segmentation? Segmentation Segment 3 Segment 1 Segment = Broadcast domain / VLAN / Subnet BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 12
12 Segment 4 Segment 2 What is Micro Segmentation? Segmentation Micro Segmentation Micro Segment 2 Segment 3 Segment 1 Segment 1 Segment = Broadcast domain / VLAN / Subnet Micro Segment 1 Micro Segment 3 Micro Segment = Endpoint or Group of Endpoints BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 13
13 Segment 4 Segment 2 Segment 2 What is Micro Segmentation? Segmentation Micro Segmentation Segment 3 Segment 1 Micro Segment 4 Segment 1 Micro Segment 2 Segment = Broadcast domain / VLAN / Subnet Micro Segment 1 Micro Segment 3 Micro Segment = Endpoint or Group of Endpoints BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 14
14 Why Micro Segmentation? Perimeter security is not enough: once breached, lateral movement can allow attackers to compromise more assets Improve the security posture inside the Data Center Minimize segment size and provide smallest exposure to lateral movement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 15
15 Micro Segmenting in an heterogeneous Data Center Campus and Branch Users Many different types of workloads running in a Data Center BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 16
16 Micro Segmenting in an heterogeneous Data Center Campus and Branch Users BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 17
17 Micro Segmenting in an heterogeneous Data Center Campus and Branch Users Virtualized w/ VMware BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 18
18 Micro Segmenting in an heterogeneous Data Center Campus and Branch Users Virtualized w/ Microsoft Virtualized w/ VMware BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 19
19 Micro Segmenting in an heterogeneous Data Center Campus and Branch Users Virtualized w/ KVM Virtualized w/ Microsoft Virtualized w/ VMware BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 20
20 Micro Segmenting in an heterogeneous Data Center Campus and Branch Users Virtualized w/ KVM Virtualized w/ Microsoft Virtualized w/ VMware Bare Metal / Big Data BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 21
21 Micro Segmenting in an heterogeneous Data Center Campus and Branch Users Virtualized w/ KVM Virtualized w/ Microsoft Virtualized w/ VMware Bare Metal / Big Data Shared/Infra BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 22
22 Micro Segmenting requires granularly grouping endpoints, and defining and enforcing policy between them Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 23
23 Contractor Sales Micro Segmenting requires granularly grouping endpoints, and defining and enforcing policy between them Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 24
24 Contractor Sales Micro Segmenting requires granularly grouping endpoints, and defining and enforcing policy between them Look at SDA for this Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 25
25 Key Functions to Achieve Better Segmentation Endpoint Identity Policy Definition Verify, Refine How to classify endpoints into groups: - Network identity (IP/MAC/VLAN) - Meta-data: VM attributes, labels, tags, etc. - DNS - User Authentication (i.e. from ISE) Determine what policy to configure between and within groups: - Application Dependency Mapping - White-List vs. Black-List - Policy Simulation - Dynamic vs. pre-defined Verify policy enforcement, lifecycle management: - Policy visibility - Logging and log analysis - Alerts, remediation - Constant updates BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 26
26 Where should we enforce policy? Host-based Enforcement Centrally manage host-based firewalls. Pros: distributed network independent can use extremely granular policies process-level visibility and correlation Cons: guest-os dependent Network-based Enforcement Centrally manage rules at network edge (vswitch, pswitch or both) Pros: distributed guest OS independent best scale with group based policy network level visibility and correlation Cons: requires network resources (memory, TCAM, etc.) for policy BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 27
27 ACI implements distributed network policies Contracts allow definition of Layer2 to Layer4 security policies. Distributed security policies implemented at different enforcement points: Leaf: hardware based, no performance penalty. vswitch (i.e. OVS, AVE, FD.io/VPP) vswitch vswitch w/opflex External L2/L3 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 28
28 Operations Security Cisco Tetration provides best network analytics and hostbased distributed security Visibility and forensics Policy Application insight Policy simulation Neighborhood graphs Cisco Tetration Application segmentation Process inventory Compliance BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 29
29 It is possible to combine both host-based and network-based for tiered-security and operational reasons (SecOps vs. NetOps vs. DevOps). BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 30
30 APIC Enforces Policy across dissimilar data planes Focus of this session Check BRKACI-3456 Check BRKACI-2505 APP APP APP APP APP APP APP AVE APP APP APP APP APP OS OS OS OS OS OS OS OS OS OS OS OS APP APP APP APP N9K Leaf VDS Any vswitch KVM w/ OVS OS OS k8s w/ OVS OS OS N9K Leaf OpFlex VMware vcenter Microsoft SCVMM Application Traffic Northbound APIs APIC Policy and Visibility Point BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 31
31 Agenda ACI Fundamentals Review Micro Segmentation Fundamentals ACI Group Based Policy Model Deep dive into Micro EPG options Demo #1 Applying IP-Based uepgs to segment BM and VM Demo #2 Using useg for Automated Application Deployment
32 Identifying and Classifying endpoints into Groups in ACI
33 An Endpoint Group (EPG) is a set of devices that share the same policy requirements. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 34
34 Every EPG belongs to a VRF and an Application Profile. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 35
35 Application Profile A group of EPGs related to each other to represent an application Health scores, statistics, logs and audit data automatically correlated and rolled up at Application Profile level EPG, uepg, domain associations, contract relations and L4-7 Configuration BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 36
36 By default endpoints inside and EPG can communicate freely. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 37
37 By default endpoints in different EPGs cannot communicate at all. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 38
38 Defaults can be changed... BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 39
39 Policy Enforcement can be enabled or disabled at VRF level Policy Enforce: no communication without contracts Policy Unenforced: all communication allowed VRF MyVRF L3Out VRF MyVRF L3Out EPG-A EPG-B EPG-C External EPG-A EPG-B EPG-C External EPG EPG BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 40
40 Another option is to use Preferred Groups inside a VRF. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 41
41 Preferred Group Operating Principle Inside the Preferred Group there is unrestricted communication VRF MyVRF Preferred Group EPG-A EPG-B EPG-C EPG-D External L3Out EPG Excluded EPGs can NOT communicate without contracts EPG-1 Contract-1 EPG-3 EPG-2 Contract-2 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 42
42 Preferred Group Operating Principle VRF MyVRF Preferred Group EPG-A EPG-B EPG-C EPG-D External EPG L3Out EPG-1 Contract-1 Contract-3 Contracts are required to reach EPG inside the Preferred Group EPG-3 EPG-2 Contract-2 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 43
43 Preferred Group Configuration Enable at VRF, then select at EPG Level First, enable Preferred Group feature for the VRF at the vzany configuration Then configure for each EPG BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 44
44 Restrict all traffic inside a Group Intra EPG Isolation Intra EPG Isolation Intra-EPG Isolation blocks communication between all endpoints inside the group Supports mixing of Physical and Virtual endpoints in same EPG EPG Video-Server Intra-EPG Isolation Software Dependency: 1.3(1g) or higher Hardware Dependency: supported on all hardware models BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 45
45 Restrict all traffic inside a group: Intra EPG isolation Supported on PhysDoms, VMware VMM domain (AVS, AVE, DVS) (*) Since ACI 3.0 Microsoft VMM domain also supports intra EPG isolation. Can be configured on EPG and uepg (**) For uepgs it s supported with EX and FX leaf. We utilize PVLAN integration for VMware DVS and MSFT VMM Domains. We use Proxy-ARP required to reach other EPG in the same subnet (*) On AVS and AVE it requires VXLAN mode (**) IntraEPG Isolation not supported yet with uepg on AVS/AVE BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 46
46 EPGs can have relations with Contracts Contract Determine Communication using a White List model BM VM VM BM EPG BLUE EPG GREEN Bridge Domain /24 L2/L3 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 47
47 CONSUMES PROVIDES EPGs can have relations with Contracts Contract Determine Communication using a White List model BM EPG BLUE VM Contract: Blue-to-Green Scope: VRF Subject: AppTraffic Both Directions: True Reverse Port Filters: Yes permit tcp/80 permit tcp/443 VM BM EPG GREEN Bridge Domain /24 L2/L3 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 48
48 CONSUMES PROVIDES EPGs can have relations with Contracts Contract Determine Communication using a White List model BM EPG BLUE VM Contract: Blue-to-Green Scope: VRF Subject: AppTraffic Both Directions: True Reverse Port Filters: Yes permit tcp/80 permit tcp/443 VM BM EPG GREEN Bridge Domain /24 L2/L3 GREEN Provides the contract, so ports tcp/80 and tcp/443 are exposed. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 49
49 CONSUMES PROVIDES EPGs can have relations with Contracts Contract Determine Communication using a White List model BM EPG BLUE VM Contract: Blue-to-Green Scope: VRF Subject: AppTraffic Both Directions: True Reverse Port Filters: Yes permit tcp/80 permit tcp/443 VM BM EPG GREEN BLUE Consumes the contract, so ports tcp/80 and tcp/443 are NOT exposed. Bridge Domain /24 L2/L3 GREEN Provides the contract, so ports tcp/80 and tcp/443 are exposed. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 50
50 CONSUMES PROVIDES EPGs can have relations with Contracts Contract Determine Communication using a White List model any, tcp/80 BM EPG BLUE VM Contract: Blue-to-Green Scope: VRF Subject: AppTraffic Both Directions: True Reverse Port Filters: Yes permit tcp/80 permit tcp/443 VM BM EPG GREEN BLUE Consumes the contract, so ports tcp/80 and tcp/443 are NOT exposed. Bridge Domain /24 L2/L3 GREEN Provides the contract, so ports tcp/80 and tcp/443 are exposed. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 51
51 CONSUMES PROVIDES EPGs can have relations with Contracts Contract Determine Communication using a White List model any,tcp/8080 any, tcp/80 BM EPG BLUE VM Contract: Blue-to-Green Scope: VRF Subject: AppTraffic Both Directions: True Reverse Port Filters: Yes permit tcp/80 permit tcp/443 VM BM EPG GREEN BLUE Consumes the contract, so ports tcp/80 and tcp/443 are NOT exposed. Bridge Domain /24 L2/L3 GREEN Provides the contract, so ports tcp/80 and tcp/443 are exposed. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 52
52 CONSUMES PROVIDES Contracts also allow inserting L4-7 services, like Next Generation Firewalls, ADC, IPS/IDS, etc. Contract: Blue-to-Green Scope: VRF Subject: AppTraffic Both Directions: True Reverse Port Filters: Yes permit tcp/80 permit tcp/443 You can insert an NGFW, or a LB by attaching a Service Graph to the contract subject BM VM VM BM EPG BLUE EPG GREEN Bridge Domain /24 L2/L3 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 53
53 Restricting traffic inside a group with Intra EPG Contracts Contract: ansible Subject: Allow-ssh TCP/22 ICMP EPG AppNetwork EPG AppNetwork BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 54
54 Restricting traffic inside a group with Intra EPG Contracts New contract relationship type to specify IntraEPG <fvrsintraepg tnvzbrcpname= allow-icmp /> Contract: ansible Subject: Allow-ssh TCP/22 ICMP Contract: allow-icmp Subject: ICMP-traffic ICMP, log EPG AppNetwork EPG AppNetwork BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 55
55 Restricting traffic inside a group with Intra EPG Contracts New contract relationship type to specify IntraEPG <fvrsintraepg tnvzbrcpname= allow-icmp /> Contract: ansible Subject: Allow-ssh TCP/22 ICMP Contract: allow-icmp Subject: ICMP-traffic ICMP, log EPG AppNetwork EPG AppNetwork BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 56
56 Restricting traffic inside a group with Intra EPG Contracts New contract relationship type to specify IntraEPG <fvrsintraepg tnvzbrcpname= allow-icmp /> Contract: ansible Subject: Allow-ssh TCP/22 ICMP Contract: allow-icmp Subject: ICMP-traffic ICMP, log EPG AppNetwork EPG AppNetwork BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 57
57 Restricting communication between endpoints inside a Group with IntraEPG Contracts Since ACI 3.0 it is possible to assign contracts to restrict traffic between endpoints of the same EPG It can be enabled on both EPG and uepg As of 3.1, it is supported for PhysDoms and VMware VDS VMM Domains IntraEPG contracts require using proxy-arp. It is only supported with EX/FX switches or newer. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 58
58 IntraEPG Contract Use Case service vnic used for mgmt in a clustered App Example: a clustered web application. The jump host must be able to access all endpoints and you cannot use IntraEPG Isolation because the required protocols must be allowed between the VM inside the dvportgroup. Contract: Zookeeper Subject: Allow Zookeeper TCP/2181 TCP/2888 TCP/3888 Web-Tier PorGroup (BaseEPG) (PVLAN 2300/2301) EPG JumpHost intraepg Web VM web-prod-aci-01 Web VM web-prod-aci-02 Contract: any-ip Subject: Allow-any-ip Any IP Only Zookeeper ports allowed between VMs app1-web (uepg) BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 59
59 Taboo Contract Taboo contracts are specific to one EPG They deny a set of ports on the EPG when taboo contract is applied For instance you can say EPG-A do not allow any port 80 traffic Taboo filters will override regular contract filters BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 60
60 vzany Allows to configure contracts for all EPG in a VRF Tenant VRF1 vzany Details vzany represents the collection of EPGs that belong to the same VRF, including L3 external. BD1 EPG1 Instead of associating contracts to each individual EPG you can configure a contract to the vzany BD2 EPG2 EPG3 vzany With cross-vrf contracts, vzany can be a consumer, not provider EPG4 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 61
61 Simplifying Contract Configurations: - EPG Contract Inheritance Simplify policy configuration of EPG contract relations - EPG(s) can refer to Master EPG(s) to inherit contract relationship from - 1 level and 1 direction of contract inheritance (ie. Master EPG -> Child EPG) - Child EPG can inherit from multiple Parent EPGs - When new contract relations are added to the higher EPG, those with inheritance relation will automatically get those same contract associations Caveats: - EPGs must be under same Tenant - Contract Inheritance does NOT reduce number of contracts or TCAM entries - Inheritance does NOT apply to VzAny BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 62
62 Example: EPG_A has three contract relations EPG_A Consumes Provides Contract_DNS Contract_Internet Contract_SSL BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 63
63 EPG_B is configured to inherit from EPG_A EPG_A Consumes Provides Contract_DNS Contract_Internet Contract_SSL EPG_B Consumes Provides (Master: EPG_A) Contract_DNS Contract_Internet Contract_SSL Use the same contracts as EPG_A BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 64
64 EPG_B is configured to inherit from EPG_A - can now add specific contracts to child EPG_A Consumes Provides Contract_DNS Contract_Internet Contract_SSL EPG_B (Master: EPG_A) Consumes Contract_DNS Contract_Internet Provides Contract_SSL Contract_TomCat EPG_B also provides another contract BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 65
65 EPG_C is configured to inherit from EPG_A EPG_A Consumes Provides Contract_DNS Contract_Internet Contract_SSL EPG_B Consumes Provides (Master: EPG_A) Contract_DNS Contract_Internet Contract_SSL Contract_TomCat EPG_C (Master: EPG_A) Consumes Contract_DNS Contract_Internet Provides Contract_SSL EPG_C only gets contracts from EPG_A BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 66
66 Changes to contract relations on EPG_A are inherited by EPG_B and EPG_C EPG_A Consumes Provides Contract_DNS Contract_Internet Contract_Ansible Contract_SSL New contract relation added only to EPG_A and automatically inherited by EPG_B and EPG_C EPG_B (Master: EPG_A) EPG_C (Master: EPG_A) Consumes Contract_DNS Contract_Internet Contract_Ansible Consumes Contract_DNS Contract_Internet Contract_Ansible Provides Contract_SSL Contract_TomCat Provides Contract_SSL BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 67
67 CONSUMES PROVIDES Contract Logging Denied Packets Logging Deny ACI can log implicit deny hits For Bare Metal, VMware VDS and MSFT Domains logs generated by Leaf For AVS logs may be generated on Leaf or vleaf For OpenStack ML2 mode, logs configured external to the fabric at the host Syslog is exported according to monitoring policies and configured External Data Collectors Logs include Tenant/VRF, EPG VLAN encap, ingress interfaces and offending packet details ACL deny not logged by default: Fabric -> Fabric Policies -> Monitoring Policies -> Common Policy -> Syslog Message Policies -> Policy for system syslog messages -> Change default to info VM MySQLAccess Subject: DB-Traffic Filter: Action: icmp allow tcp/3106 allow SIP: DIP: Proto: 6 sport:54135 dport:125 VM Software Dependency: supported on all software releases Hardware Dependency: supported on all hardware models Feb 04 10:26:54 troy-leaf1 %LOG_LOCAL7-6-SYSTEM_MSG [E ][transition][info][sys] %ACLLOG-5-ACLLOG_PKTLOG_DENY: CName: Test-Tenant:Test-Tenant-VRF(VXLAN: ), VlanType: FD_VLAN, Vlan-Id: 21, SMac: 0x b43a, DMac:0x0022bdf819ff, SIP: , DIP: , SPort: 54135, DPort: 125, Src Intf: port-channel2, Proto: 6, PktLen: 74 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 68
68 CONSUMES PROVIDES Contract Logging Permitted Packets Logging Permit Permit logging is configured per Filter For Bare Metal, VDS and MSFT Domains logs generated by Leaf For AVS logs may be generated on Leaf or vleaf For OpenStack ML2 mode, logs configured external to the fabric at the host Syslog is exported according to monitoring policies and configured External Data Collectors Logs include Tenant/VRF, EPG VLAN encap, ingress interfaces and offending packet details Software Dependency: 2.2(1n) or higher Hardware Dependency: requires EX models or newer VM MySQLAccess Subject: DB-Traffic Filter: Action: icmp allow log tcp/3106 allow log SIP: DIP: Proto: 1 sport:0 dport:0 Permit log configured at the subject on a per filter basis. VM Feb 04 10:14:44 troy-leaf1 %LOG_LOCAL7-6-SYSTEM_MSG [E ][transition][info][sys] %ACLLOG-5-ACLLOG_PKTLOG_PERMIT: CName: Test-Tenant:Test-Tenant-VRF(VXLAN: ), VlanType: FD_VLAN, Vlan-Id: 21, SMac: 0x b43a, DMac:0x0022bdf819ff, SIP: , DIP: , SPort: 0, DPort: 0, Src Intf: port-channel2, Proto: 1, PktLen: 98 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 69
69 Agenda ACI Fundamentals Review Micro Segmentation Fundamentals ACI Group Based Policy Model Deep dive into Micro EPG options Demo #1 Applying IP-Based uepgs to segment BM and VM Demo #2 Using useg for Automated Application Deployment
70 Micro EPGs allow grouping of endpoints based on their attributes, rather than an encapsulation. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 71
71 Understanding Micro EPGs Base EPG based on port and encapsulation (i.e VLAN or VXLAN) A MicroEPG (uepg) is equivalent to a regular EPG for all purposes, but classification is based on endpoint attributes (and dynamic in nature) Endpoints assigned to the uepg regardless of the encapsulation/port The endpoint must be first known to a regular EPG, called base EPG EPG GREEN BM f4:5c:89:b2:bf:cb BM f4:5c:89:b2:ab:cd VM BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 72
72 Understanding Micro EPGs Base EPG based on port and encapsulation (i.e VLAN or VXLAN) A MicroEPG (uepg) is equivalent to a regular EPG for all purposes, but classification is based on endpoint attributes (and dynamic in nature) Endpoints assigned to the uepg regardless of the encapsulation/port The endpoint must be first known to a regular EPG, called base EPG EPG GREEN BM f4:5c:89:b2:bf:cb uepg MyDB BM f4:5c:89:b2:ab:cd VM Define uepg based on MAC. Example: Select MAC=f4:5c:89:b2:bf:cb BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 73
73 Understanding Micro EPGs A MicroEPG (uepg) is equivalent to a regular EPG for all purposes, but classification is based on endpoint attributes (and dynamic in nature) Endpoints assigned to the uepg regardless of the encapsulation/port The endpoint must be first known to a regular EPG, called base EPG EPG GREEN uepg MyDB BM f4:5c:89:b2:bf:cb Define uepg based on VM attributes. Example: VM-name=VM-01 BM f4:5c:89:b2:ab:cd VM uepg Quarantine BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 74
74 Micro EPGs are attribute-based EPGs BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 75
75 Micro EPGs are attribute-based EPGs New attribute called isattrbasedepg in fvaepg. Admin has to explicitly specify a given EPG is an attributed based EPG or not. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 76
76 Micro EPGs are attribute-based EPGs New attribute called isattrbasedepg in fvaepg. Admin has to explicitly specify a given EPG is an attributed based EPG or not. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 77
77 Micro EPGs are attribute-based EPGs isattrbasedepg = no New attribute called isattrbasedepg in fvaepg. Admin has to explicitly specify a given EPG is an attributed based EPG or not. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 78
78 Micro EPGs are attribute-based EPGs isattrbasedepg = no New attribute called isattrbasedepg in fvaepg. Admin has to explicitly specify a given EPG is an attributed based EPG or not. isattrbasedepg = yes BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 79
79 Micro EPGs are attribute-based EPGs An object fvcrtrn defines the criteria - i.e. attributes that select endpoints into this group. New attribute called isattrbasedepg in fvaepg. Admin has to explicitly specify a given EPG is an attributed based EPG or not. isattrbasedepg = no isattrbasedepg = yes BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 80
80 Classification possibilities depend on the type of endpoint. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 81
81 For endpoints connected to Physical Domains (bare metal) you can use the IP or MAC addresses. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 82
82 PhysDom (Bare Metal) with MAC Address MAC Micro EPGs considerations on PhysDoms Base EPG must be configured and deployed to program VLANs on leaf host ports Base EPG & MAC uepg must associate with same BD MAC uepg must be deployed by using node attachment on all the nodes where BD is deployed Deployment Immediacy must be Immediate VRF must be configured for ingress policy enforcement mode otherwise fault will be raised Software Dependency: 2.1(1h) Hardware Dependency: E-Series or newer BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 83
83 PhysDom (Bare Metal) with IP Addresses IP Micro EPGs considerations on PhysDoms Base EPG must be configured and deployed to program VLANs on leaf host ports Base EPG & IP uepg must associate with same BD. BD MUST have subnet configured. IP uepg must be deployed by using node attachment on all the nodes where BD is deployed Deployment Immediacy must be Immediate You can specify individual IP addresses and/or subnets (i.e , /24) Software Dependency: 1.2(x) Hardware Dependency: E-Series or newer Caveat: No bridged traffic will be enforced based on the IP-EPG classification BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 84
84 For endpoints connected to VMware or Microsoft VMM Domains you can use the IP, MAC or VM-attributes. Note: uepg support for Red Hat Virtualization is a roadmap item BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 85
85 Micro EPGs with Microsoft Hyper-V 1. Start with a Base EPG Hyper-V EPG GREEN (vlan-100) ubuntu-01 centos-01 ubuntu-02 centos-02 Base EPG GREEN mapped to Microsoft VMM Domain defines vswitch Network and base encapsulation OpFlex VM Network GREEN (trunk) MSFT vswitch OpFlex GREEN (vlan-100) GREEN (vlan-100) Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 86
86 Micro EPGs with Microsoft Hyper-V 2. Configure uepgs Hyper-V BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 87
87 Micro EPGs with Microsoft Hyper-V 2. Configure uepgs Hyper-V 1.- We define a new uepg called Ubuntu-VM and map it to the MSFT VMM Domain. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 88
88 Micro EPGs with Microsoft Hyper-V 2. Configure uepgs Hyper-V 1.- We define a new uepg called Ubuntu-VM and map it to the MSFT VMM Domain. 2.- We define attributes to match, in this example, matching on the VM Operating System (Ubuntu Linux) BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 89
89 Micro EPGs with Microsoft Hyper-V 2. Configure uepgs Hyper-V 1.- We define a new uepg called Ubuntu-VM and map it to the MSFT VMM Domain. 2.- We define attributes to match, in this example, matching on the VM Operating System (Ubuntu Linux) The uepg will use a new encapsulation, communicated to the vswitch using OpFlex BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 90
90 Micro EPGs with Microsoft Hyper-V 3. VM classified according to attributes Hyper-V EPG GREEN (vlan-100) ubuntu-01 centos-01 ubuntu-02 centos-02 EPG GREEN (vlan-100) ubuntu-01 centos-01 ubuntu-02 centos-02 OpFlex VM Network GREEN (trunk) MSFT vswitch OpFlex OpFlex VM Network GREEN (trunk) MSFT vswitch OpFlex GREEN (vlan-100) GREEN (vlan-100) GREEN (vlan-100) GREEN (vlan-100) Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 91
91 Micro EPGs with Microsoft Hyper-V 3. VM classified according to attributes uepg UBUNTU (vlan-102) Hyper-V EPG GREEN (vlan-100) ubuntu-01 centos-01 ubuntu-02 centos-02 EPG GREEN (vlan-100) ubuntu-01 centos-01 ubuntu-02 centos-02 OpFlex Ubuntu VMs now cannot communicate with CentOS VM and VM Network GREEN (trunk) vice versa MSFT vswitch OpFlex (no contract) MSFT vswitch OpFlex OpFlex VM Network GREEN (trunk) GREEN (vlan-100) GREEN (vlan-100) GREEN (vlan-100) Ubuntu (vlan-102) GREEN (vlan-100) Ubuntu (vlan-102) Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 92
92 Micro EPG Support with vsphere VDS 1. Start with Base EPG, enable MicroSeg vsphere dvportgroup GREEN (PVLAN p-3012, s-3019) VMware VDS Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 93
93 Micro EPG Support with vsphere VDS 1. Start with Base EPG, enable MicroSeg vsphere EPG GREEN ubuntu-01 centos-01 ubuntu-02 centos-02 dvportgroup GREEN (PVLAN p-3012, s-3019) VMware VDS Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 94
94 Micro EPG Support with vsphere VDS 1. Start with Base EPG, enable MicroSeg vsphere Must be True! EPG GREEN ubuntu-01 centos-01 ubuntu-02 centos-02 dvportgroup GREEN (PVLAN p-3012, s-3019) VMware VDS Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 95
95 Micro EPG Support with vsphere VDS 1. Start with Base EPG, enable MicroSeg vsphere Must be True! EPG GREEN ubuntu-01 centos-01 ubuntu-02 centos-02 dvportgroup GREEN (PVLAN p-3012, s-3019) VMware VDS Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 96
96 Micro EPG Support with vsphere VDS 1. Start with Base EPG, enable MicroSeg vsphere Must be True! EPG GREEN ubuntu-01 centos-01 ubuntu-02 centos-02 APIC will then configure the dvportgroup as an isolated PVLAN dvportgroup GREEN (PVLAN p-3012, s-3019) VMware VDS Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 97
97 Micro EPG Support with vsphere VDS 1. Start with Base EPG, enable MicroSeg vsphere Must be Immediate! Must be True! EPG GREEN ubuntu-01 centos-01 ubuntu-02 centos-02 APIC will then configure the dvportgroup as an isolated PVLAN dvportgroup GREEN (PVLAN p-3012, s-3019) VMware VDS Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 98
98 Micro EPG Support with vsphere VDS 1. Start with Base EPG, enable MicroSeg vsphere Must be Immediate! Must be True! EPG GREEN ubuntu-01 centos-01 ubuntu-02 centos-02 APIC will then configure the dvportgroup as an isolated PVLAN dvportgroup GREEN (PVLAN p-3012, s-3019) VMware VDS GREEN (v-3012/3019) GREEN (v-3012/3019) Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 99
99 Micro EPG Support with vsphere VDS 1.1 Base EPG is working as normal EPG vsphere EPG GREEN ubuntu-01 centos-01 ubuntu-02 centos-02 dvportgroup GREEN (PVLAN p-3012, s-3019) VMware VDS GREEN (v-3012/3019) GREEN (v-3012/3019) Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 100
100 Micro EPG Support with vsphere VDS 1.1 Base EPG is working as normal EPG vsphere EPG GREEN ubuntu-01 centos-01 ubuntu-02 centos-02 dvportgroup GREEN (PVLAN p-3012, s-3019) VMware VDS Communication between endpoints inside the EPG is allowed at the Leaf. Proxy-ARP enabled. GREEN (v-3012/3019) GREEN (v-3012/3019) Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 101
101 Micro EPG Support with vsphere VDS 2. Configure uepg based on attributes vsphere 1. Define uepg and map to the same VMM Domain and BD as Base EPG Must be Immediate! 2. Map uepg to the required leafs (where ESXi servers are connected) BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 102
102 Micro EPG Support with vsphere VDS 2. Configure uepg based on attributes vsphere 3. Configure the required attributes We define attributes to match, in this example, matching on the VM Operating System (Ubuntu Linux) BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 103
103 Micro EPG Support with vsphere VDS 3. VM is classified according to attributes vsphere uepg UBUNTU EPG GREEN ubuntu-01 centos-01 ubuntu-02 centos-02 uepg UBUNTU uepg Ubuntu vm-1 vm-2 MAC Address 00:50:56:AD:15:2E 00:50:56:AD:15:1F dvportgroup GREEN (PVLAN p-3012, s-3019) GREEN (v-3012/3019) Ubuntu (mac-list) VMware VDS GREEN (v-3012/3019) Ubuntu (mac-list) VM name: ubuntu-01 IP: MAC: 00:50:56:AD:15:2E VM name: ubuntu-02 IP: MAC: 00:50:56:AD:15:1F Policy Enforcement BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 104
104 Micro EPG Support with vsphere VDS Details Micro EPG Considerations on vsphere VDS Under base EPG you must enable useg EPG for vds. This is only required if using useg with VDS. When EPG is mapped to VMM domain, it will change vds and port-group configuration: PVLAN will be enabled. Port-group uses secondary VLAN (isolated), which is same with intra-epg isolation. Proxy-ARP is automatically enabled on base EPG (this is only supported in EX-models) PVLAN configuration is only to force all traffic to flow through Leaf. You can create uepg with attribute classification and map to the same VMM domain: Even though we use VM attribute, since APIC knows VM name and other info (IP, MAC) from vcenter and data plane, APIC will find the MAC address of the VM. Leaf will use MAC address for useg EPG classification. Software Dependency: 1.3(1g) Hardware Dependency: EX-Series or newer BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 105
105 Micro EPG with AVE functions in a way similar to both Microsoft and VDS BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 106
106 An EPG and a uepg can be mapped to multiple different Domains (Virtual or Physical). BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 107
107 Supported Attributes for Micro EPG Classification Attribute support depends on Domain type. For VMM domains, some attributes are vendor specific (i.e. vsphere Tags) Refer to Release Notes and Virtualization Configuration Guide for latest information Supported attributes as of 3.1 Attributes Type Example Domains MAC Address Network 5c:01:23:ab:cd:ef Phys, VMW, MSFT IP Address Network / VNic Dn (vnic domain name) VM Phys, VMQ, MSFT A1:23:45:67:89:0b VMW, MSFT VM Identifier VM vm-598 VMW, MSFT VM Name VM HR_UI_WEB VMW, MSFT Hypervisor Identifier VM esxi-host-01 VMW, MSFT VMM Domain VM AVS-VMM-DC1 VMW, MSFT Datacenter VM BRU-DC VMW, MSFT Guest Operating System VM Windows 2008 VMW, MSFT Custom Attribute VM AppTier=Web VMW, MSFT vsphere TAGs VM PROD:ENV VMW DNS Network acme.app.com (experimental) BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 108
108 You can configure multiple attributes to select endpoints for a Micro EPG. APIC implements Logical Operators for this since release 2.3. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 109
109 uepgs with Attributes and Logical Operators - GUI Configuration (1/2) BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 110
110 uepgs with Attributes and Logical Operators - GUI Configuration (1/2) Select new useg Attributes folder under each specific uepg BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 111
111 uepgs with Attributes and Logical Operators - GUI Configuration (1/2) Select new useg Attributes folder under each specific uepg Click on + to add additional attributes to Match Any/All. Or click +( to add additional sections. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 112
112 uepgs with Attributes and Logical Operators - GUI Configuration (1/2) Select new useg Attributes folder under each specific uepg BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 113
113 uepgs with Attributes and Logical Operators - GUI Configuration (1/2) Select Match Any for OR Logic. Select new useg Attributes folder under each specific uepg Select Match All for AND Logic. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 114
114 uepgs with Attributes and Logical Operators - GUI Configuration (2/2) Selects VMs with Tag APP:OpenCart-Apache, or VMs with Custom Attribute app-tier=app1-app as long as they are running on vcenter DC1-EAST datacenter BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 115
115 uepg Match Precedence Attribute combinations may select a VM to be on multiple EPGs at once Match Precedence selects the winner Higher precedence wins BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 116
116 Some important things to keep in mind when using Micro EPGs BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 117
117 Considerations when using Micro EPG Be careful when using VM-attributes: Most attributes will imply immediate action on APIC, others (like vsphere Tags) rely on polling, will take longer to action. If a VM with multiple vnic is classified, all vnic may be on the same uepg. Ensure you select vnic-id if using multiple vnics or use IP/MAC attributes instead. Use of Intra-EPG contracts assumes you can use proxy-arp and no flooding is required. Watch out for applications that may require flooding. When using uepg on VDS, currently there are some caveats SPAN filtering is at base EPG level, not per uepg Stats are aggregated at base EPG level, not per uepg BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 118
118 Agenda ACI Fundamentals Review Micro Segmentation Fundamentals ACI Group Based Policy Model Deep dive into Micro EPG options Demo #1 Applying IP-Based uepgs to segment BM and VM Demo #2 Using useg for Automated Application Deployment
119 Demo #1 EPG Classification based on IP Address
120 [Flexibly] Classify based on IP Subnet Two subnets: One for application Virtual Machines One for Data Bases, Virtual and Physical Subnet /24 We want to ensure classification based on IP subnet, regardless of encapsulation Subnet /254 We want to keep maximum flexibility to group endpoints regardless of subnet BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 121
121 ACI Logical Design Single BD, two Base EPG Subnet advertisement control: DB subnet not advertised EPG1 and EPG2 configured for IntraEPG-Isolation Proxy-ARP enabled No communication allowed in base EPGs Base EPG mapped to PHYSDOM and VMMDOM as required BD: ACME-BD /24, advertise, share /24, private, share Base EPG1 Mapped to VMM Domain Base EPG2 Mapped to VMM and Physical Domain BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 122
122 ACI Logical Design uepg to classify on IP Subnet Create uepg for each of the subnets (match on IP Subnet) Map EPGs to the corresponding VMM and PhysDoms Endpoints connected to EPG1 and EPG2 with IP address matching the subnets will be placed in the correct uepg have connectivity Endpoints with wrong IP address will have no connectivity at all BD: ACME-BD /24, advertise, share /24, private, share uepg net-41 Match IP /24 Mapped to VMM Base EPG1 Mapped to VMM Domain Base EPG2 Mapped to VMM and Physical Domain uepg net-51 Match IP /24 Mapped to VMM & Phys BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 123
123 ACI Logical Design - Details Contracts configured to allow access to shared services from base EPG. BD: ACME-BD /24, advertise, share /24, private, share Consume Contract Provide EPG1, EPG2 EPG1, EPG2 proxy-access (icmp, tcp/3128) Ansible-Provisioning (icmp, tcp/22) ExternalAccess (tn-common) AnsibleServer (tn-common) Ansible Server Base EPG1 (isolated) Mapped to VMM Domain Base EPG2 (isolated) Mapped to VMM and Physical Domain N9K Leaf VMware VDS EPG2: vlan-1755 EPG2: vlan-1755 dvportgroup EPG1 dvportgroup EPG2 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 124
124 ACI Logical Design - Details Contracts will allow our provisioning system access to endpoints on the base EPG. BD: ACME-BD /24, advertise, share /24, private, share Consume Contract Provide EPG1, EPG2 EPG1, EPG2 proxy-access (icmp, tcp/3128) Ansible-Provisioning (icmp, tcp/22) ExternalAccess (tn-common) AnsibleServer (tn-common) Ansible Server Base EPG1 (isolated) Mapped to VMM Domain Base EPG2 (isolated) Mapped to VMM and Physical Domain N9K Leaf VMware VDS EPG2: vlan-1755 EPG2: vlan-1755 dvportgroup EPG1 dvportgroup EPG2 Isolated EPG block all other communication BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 125
125 ACI Logical Design Details with uepgs BD: ACME-BD /24, advertise, share /24, private, share Consume Contract Provide EPG1, EPG2, proxy-access ExternalAccess EPG1, EPG2 proxy-access ExternalAccess net-41, net-51 (icmp, tcp/3128) (tn-common) (icmp, tcp/3128) (tn-common) EPG1, EPG2, Ansible-Provisioning AnsibleServer EPG1, EPG2 Ansible-Provisioning AnsibleServer net-41, net-51 (icmp, tcp/22) (tn-common) (icmp, tcp/22) (tn-common) Base EPG1 (isolated) Mapped to VMM Domain Base EPG2 (isolated) Mapped to VMM and Physical Domain N9K Leaf VMware VDS EPG2: vlan-1755 EPG2: vlan-1755 dvportgroup EPG1 dvportgroup EPG2 web uepg net-41 web db db uepg net-51 Sql Sql BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 126
126 ACI Logical Design Details with uepgs BD: ACME-BD /24, advertise, share /24, private, share Consume Contract Provide EPG1, EPG2, net-41, net-51 EPG1, EPG2, net-41, net-51 proxy-access (icmp, tcp/3128) Ansible-Provisioning (icmp, tcp/22) ExternalAccess (tn-common) AnsibleServer (tn-common) Base EPG1 (isolated) Mapped to VMM Domain Base EPG2 (isolated) Mapped to VMM and Physical Domain N9K Leaf VMware VDS EPG2: vlan-1755 EPG2: vlan-1755 dvportgroup EPG1 dvportgroup EPG2 web uepg net-41 web db db uepg net-51 Sql Sql BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 127
127 ACI Logical Design Classification done on IP, not PortGroup BD: ACME-BD /24, advertise, share /24, private, share Consume Contract Provide EPG1, EPG2, net-41, net-51 EPG1, EPG2, net-41, net-51 proxy-access (icmp, tcp/3128) Ansible-Provisioning (icmp, tcp/22) ExternalAccess (tn-common) AnsibleServer (tn-common) Base EPG1 (isolated) Mapped to VMM Domain Base EPG2 (isolated) Mapped to VMM and Physical Domain uepg configuration is not using isolation. Traffic is allowed. N9K Leaf VMware VDS EPG2: vlan-1755 EPG2: vlan-1755 dvportgroup EPG1 dvportgroup EPG2 web uepg net-41 web db db uepg net-51 Sql Sql BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 128
128 vcenter ACI Logical Design Classification works across PODs DC1 IP connectivity DC2 L2/L3 Cluster-01 web uepg net-41 web db db uepg net-51 Sql Sql BD: ACME-BD /24, advertise, share /24, private, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 129
129 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
130 Demo #1 Summary Decouple encapsulation configurations (Port-to-VLAN, PortGroup) from actual workload segmentation. Subnet-based segmentation with complete flexibility. Select entire subnets Select individual IPs, etc. Works across Bare Metal and Virtualization (VMware and Microsoft today) Combine with Contracts to provide distributed L3-4 Security BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 131
131 Video and Ansible playbooks for demo #1 Ansible Playbooks: Demo Video: BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 132
132 Demo #2 Using VM Attributes, IP EPGs and Automated deployments
133 Note: for this example we will use Ansible for automation. Similar automation can be accomplished using other tools and/or a Cloud Management Platform. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 134
134 We will provision a simple PHP application that uses virtual machines and bare metal servers. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 135
135 Acme s Application CentOS running PHP App on Apache HAProxy with Keepalived SQL DB Clustered HTTPS HTTP SQL Virtualized w/ VMware Bare Metal BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 136
136 Acme s Application Network Design WEB APP FRONTEND SERVER SUBNET DB SUBNET Physical SQL Databases FRONTEND and WEB Tiers run as VMs and share a subnet Traffic between FRONTEND and WEB must be filtered WEB applications require data from a DB running on a bare metal server White-List Model Approach to security (zero-trust) BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 137
137 Basic ACI Design Constructs Objects shared from common tenant Squid-Proxy We will use a Shared L3Out. General EPG for default, specific for restricting access to local proxy or repo. tn-common Ansible Server L3Out External Access Proxy-Access / /32 Exported Contract Interface (automatically enable VRF-leaking) Ansible-Provision MyAcmeApp proxy-access Global contracts from tn-common to be consumed by user tenants. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 138
138 Basic ACI Design Constructs AcmeTenant tn-acmetenant Web and LB VMs Base EPG programmed with IntraEPG Isolation. Mapped to VMM Domain to creates dvportgroup Physical Data Base Servers Base EPG programmed with IntraEPG Isolation (if no flooding required). Mapped to PhysDom and static path or AEP Common tenant services EPG: ServerNetwork (isolated) Mapped to VMM Domain EPG: DBNetwork Mapped to Physical Domain Monitoring DHCP & DNS BD: ACME-BD /24, advertise, share BD: DB-BD /24, private, share BD: INFRA-BD /24, private, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 139
139 Basic ACI Design Constructs AcmeTenant Base Contracts BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 140
140 Basic ACI Design Constructs AcmeTenant Base Contracts Exported from tn-common Consumed Contract Interface from all tenant EPGs Allows tcp/22 and ICMP BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 141
141 Basic ACI Design Constructs AcmeTenant Base Contracts Global contract from tn-common Consumed by all EPGs Allows tcp/3128 and ICMP Exported from tn-common Consumed Contract Interface from all tenant EPGs Allows tcp/22 and ICMP BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 142
142 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server VMware VDS (VMM-ACI-DC1) vsphere CLUSTER BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 143
143 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 144
144 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server Proxy-Access /32 VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 145
145 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server Proxy-Access /32 EPG: DBNetwork Mapped to Physical Domain VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 146
146 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server Proxy-Access /32 EPG: DBNetwork Mapped to Physical Domain VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER EPG: ServerNetwork (isolated) Mapped to VMM Domain BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 147
147 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy EPG Consume Contract EPG Provide ServerNetwork DBNetwork ServerNetwork DBNetwork ServerNetwork DBNetwork ServerNetwork DBNetwork proxy-access (icmp, tcp/3128) Ansible-Provisioning (icmp, tcp/22) DNS (udp/53, tcp/53) NAGIOS (tcp/80, udp/162, udp/163) Proxy-Access (tn-common) AnsibleServer (tn-common) DNS Monitoring ACI Leaf vpc Pairs Ansible Server Proxy-Access /32 EPG: DBNetwork Mapped to Physical Domain VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER EPG: ServerNetwork (isolated) Mapped to VMM Domain BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 148
148 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy EPG Consume Contract EPG Provide ServerNetwork DBNetwork ServerNetwork DBNetwork ServerNetwork DBNetwork ServerNetwork DBNetwork proxy-access (icmp, tcp/3128) Ansible-Provisioning (icmp, tcp/22) DNS (udp/53, tcp/53) NAGIOS (tcp/80, udp/162, udp/163) Proxy-Access (tn-common) AnsibleServer (tn-common) DNS Monitoring ACI Leaf vpc Pairs Ansible Server Proxy-Access /32 EPG: DBNetwork Mapped to Physical Domain VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER EPG: ServerNetwork (isolated) Mapped to VMM Domain BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 149
149 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy EPG Consume Contract EPG Provide ServerNetwork DBNetwork ServerNetwork DBNetwork ServerNetwork DBNetwork ServerNetwork DBNetwork proxy-access (icmp, tcp/3128) Ansible-Provisioning (icmp, tcp/22) DNS (udp/53, tcp/53) NAGIOS (tcp/80, udp/162, udp/163) Proxy-Access (tn-common) AnsibleServer (tn-common) DNS Monitoring ACI Leaf vpc Pairs Ansible Server Proxy-Access /32 EPG: DBNetwork Mapped to Physical Domain VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER EPG: ServerNetwork (isolated) Mapped to VMM Domain BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 150
150 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 151
151 Deploying the New Application - using uepg to classify workloads (1/3) tn-acmetenant uepg: FRONTEND Master: ServerNetwork BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 152
152 Deploying the New Application - using uepg to classify workloads (1/3) Intra EPG Isolation Unenforced Contract Master: ServerNetwork Match Precedence: 100 tn-acmetenant uepg: FRONTEND Master: ServerNetwork BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 153
153 Deploying the New Application - using uepg to classify workloads (1/3) Intra EPG Isolation Unenforced Contract Master: ServerNetwork Match Precedence: 100 tn-acmetenant uepg: FRONTEND Master: ServerNetwork Select based on VM name High match precedence to ensure VM is not wrongly classified elsewhere BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 154
154 Deploying the New Application - using uepg to classify workloads (1/3) Intra EPG Isolation Unenforced Contract Master: ServerNetwork Match Precedence: 100 tn-acmetenant uepg: FRONTEND Master: ServerNetwork Select based on VM name High match precedence to ensure VM is not wrongly classified elsewhere BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 155
155 Deploying the New Application - using uepg to classify workloads (2/3) tn-acmetenant uepg: FRONTEND Master: ServerNetwork BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 156
156 Deploying the New Application - using uepg to classify workloads (2/3) tn-acmetenant uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork BD: ACME-BD /24, advertise, Intra share EPG Isolation Enforced Contract Master: ServerNetwork Match Precedence: 10 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 157
157 Deploying the New Application - using uepg to classify workloads (2/3) tn-acmetenant uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork BD: ACME-BD /24, advertise, Intra share EPG Isolation Enforced Contract Master: ServerNetwork Match Precedence: 10 Classify a VM if it carries: app:myacmeapp tier: web env:prod AND runs in VMM-ACI-DC1 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 158
158 Deploying the New Application - using uepg to classify workloads (2/3) tn-acmetenant uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork BD: ACME-BD /24, advertise, Intra share EPG Isolation Enforced Contract Master: ServerNetwork Match Precedence: 10 Classify a VM if it carries: app:myacmeapp tier: web env:prod AND runs in VMM-ACI-DC1 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 159
159 Deploying the New Application - using uepg to classify workloads (3/3) tn-acmetenant uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork uepg: DB-PROD Master: DBNetwork BD: ACME-BD /24, advertise, share BD: DB-BD /24, private, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 160
160 Deploying the New Application - using uepg to classify workloads (3/3) tn-acmetenant uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork uepg: DB-PROD Master: DBNetwork BD: ACME-BD /24, advertise, share BD: DB-BD Intra EPG Isolation Enforced /24, private, share Contract Master: DBNetwork Match Precedence: 10 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 161
161 Deploying the New Application - using uepg to classify workloads (3/3) tn-acmetenant uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork uepg: DB-PROD Master: DBNetwork BD: ACME-BD /24, advertise, share BD: DB-BD Intra EPG Isolation Enforced /24, private, share Contract Master: DBNetwork Match Precedence: 10 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 162
162 Deploying the New Application - using uepg to classify workloads (3/3) tn-acmetenant uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork uepg: DB-PROD Master: DBNetwork BD: ACME-BD /24, advertise, share BD: DB-BD Intra EPG Isolation Enforced /24, private, share Contract Master: DBNetwork Match Precedence: 10 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 163
163 Deploying the New Application - Leveraging Contract Inheritance uepgs configured to inherit contracts from base EPG BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 164
164 Deploying the New Application - Application specific contracts Restrict access as required for each application tier BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 165
165 Deploying the New Application - Handling HAProxy Redundancy HAProxy redundancy using KeepAlived VIP Address for the application Based on VRRP. Can work with unicast or multicast. We will use unicast mode. uepg: FRONTEND Master: ServerNetwork ACTIVE BACKUP VIP IntraEPG Contract: allow IP protocol 112 (VRRP) BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 166
166 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server External-Access /0 VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 167
167 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server External-Access /0 uepg: DB-PROD VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 168
168 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server External-Access /0 uepg: DB-PROD VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 169
169 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server External-Access /0 uepg: DB-PROD VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER uepg: FRONTEND BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 170
170 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server External-Access /0 uepg: DB-PROD VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER uepg: FRONTEND uepg: WEB-PROD BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 171
171 Demo Design Lab Details DC1 ACI POD1 Squid-Proxy ACI Leaf vpc Pairs Ansible Server External-Access /0 uepg: DB-PROD VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork vsphere CLUSTER uepg: FRONTEND uepg: WEB-PROD BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 172
172 Demo Design Lab Details EPG Consume Contract EPG Provide ExternalAccess (tn-common) MyAcmeApp (icmp, tcp/80, tcp/443) FRONTEND DC1 ACI POD1 ExternalAccess (tn-common) HAPROXY-STATS (tcp/8181) FRONTEND Squid-Proxy FRONTEND FRONTEND KEEPALIVED-VRRP (ip-112) HTTP (tcp/80, icmp) FRONTEND WEB-PROD WEB-PROD MYSQL (tcp/3306, icmp) DB-PROD External-Access /0 ACI Leaf vpc Pairs Ansible Server VMware VDS (VMM-ACI-DC1) vsphere CLUSTER dvportgroup ServerNetwork uepg: DB-PROD uepg: FRONTEND uepg: WEB-PROD BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 173
173 Demo Design Lab Details EPG Consume Contract EPG Provide ExternalAccess (tn-common) MyAcmeApp (icmp, tcp/80, tcp/443) FRONTEND DC1 ACI POD1 ExternalAccess (tn-common) HAPROXY-STATS (tcp/8181) FRONTEND Squid-Proxy FRONTEND FRONTEND KEEPALIVED-VRRP (ip-112) HTTP (tcp/80, icmp) FRONTEND WEB-PROD WEB-PROD MYSQL (tcp/3306, icmp) DB-PROD External-Access /0 ACI Leaf vpc Pairs Ansible Server VMware VDS (VMM-ACI-DC1) vsphere CLUSTER dvportgroup ServerNetwork uepg: DB-PROD uepg: FRONTEND uepg: WEB-PROD BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 174
174 Demo Design Lab Details EPG Consume Contract EPG Provide ExternalAccess (tn-common) MyAcmeApp (icmp, tcp/80, tcp/443) FRONTEND DC1 ACI POD1 ExternalAccess (tn-common) HAPROXY-STATS (tcp/8181) FRONTEND Squid-Proxy FRONTEND FRONTEND KEEPALIVED-VRRP (ip-112) HTTP (tcp/80, icmp) FRONTEND WEB-PROD WEB-PROD MYSQL (tcp/3306, icmp) DB-PROD External-Access /0 ACI Leaf vpc Pairs Ansible Server VMware VDS (VMM-ACI-DC1) vsphere CLUSTER dvportgroup ServerNetwork uepg: DB-PROD uepg: FRONTEND uepg: WEB-PROD BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 175
175 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 176
176 Let s see how this extends to more than one DC with Multi-POD DC1 ACI POD1 IP connectivity DC2 ACI POD2 Proxy-Access /32 VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork vcenter-dc1 vcenter-dc2 vsphere CLUSTER DEV VMware VDS (VMM-ACI-DC2) dvportgroup ServerNetwork BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 177
177 We can launch VMs on DC2 that are connected to the same ServerNetwork, have same policies DC1 ACI POD1 IP connectivity DC2 ACI POD2 Ansible Server Proxy-Access /32 VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork vcenter-dc1 vcenter-dc2 vsphere CLUSTER DEV VMware VDS (VMM-ACI-DC2) dvportgroup ServerNetwork EPG: ServerNetwork (isolated) Mapped to VMM Domain BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 178
178 We can create new uepgs to allow specific policies for our development environment DC1 ACI POD1 IP connectivity DC2 ACI POD2 Proxy-Access /32 VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork vcenter-dc1 vcenter-dc2 vsphere CLUSTER DEV VMware VDS (VMM-ACI-DC2) dvportgroup ServerNetwork uepg: WEB-DV Master: ServerNetwork BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 179
179 We can create new uepgs to allow specific policies for our development environment DC1 ACI POD1 IP connectivity DC2 ACI POD2 Proxy-Access /32 VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork vcenter-dc1 vcenter-dc2 vsphere CLUSTER DEV VMware VDS (VMM-ACI-DC2) dvportgroup ServerNetwork uepg: WEB-DV Master: ServerNetwork BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 180
180 We can create new uepgs to allow specific policies for our development environment DC1 ACI POD1 IP connectivity DC2 ACI POD2 Proxy-Access /32 VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork vcenter-dc1 vcenter-dc2 vsphere CLUSTER DEV When development is completed, we can TAG the VM to go in production VMware VDS (VMM-ACI-DC2) dvportgroup ServerNetwork uepg: WEB-DV Master: ServerNetwork BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 181
181 Promote workload into production by setting the right VM attributes and vmotion to right cluster DC1 ACI POD1 IP connectivity DC2 ACI POD2 Proxy-Access /32 VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork vcenter-dc1 vcenter-dc2 vsphere CLUSTER DEV VMware VDS (VMM-ACI-DC2) dvportgroup ServerNetwork uepg: WEB-DV Master: ServerNetwork BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 182
182 Promote workload into production by setting the right VM attributes and vmotion to right cluster DC1 ACI POD1 IP connectivity DC2 ACI POD2 Proxy-Access /32 VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork vcenter-dc1 vcenter-dc2 vsphere CLUSTER DEV VMware VDS (VMM-ACI-DC2) dvportgroup ServerNetwork uepg: WEB-DV Master: ServerNetwork BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 183
183 Promote workload into production by setting the right VM attributes and vmotion to right cluster DC1 ACI POD1 IP connectivity DC2 ACI POD2 Proxy-Access /32 VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork vcenter-dc vcenter-dc2 vsphere CLUSTER DEV VMware VDS (VMM-ACI-DC2) dvportgroup ServerNetwork uepg: WEB-DV Master: ServerNetwork When the VM has all correct attributes AND moves to DC1, it goes into production BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 184
184 Promote workload into production by setting the right VM attributes and vmotion to right cluster DC1 ACI POD1 IP connectivity DC2 ACI POD2 Proxy-Access /32 Load Balancer can be updated by orchestrator and/or pull endpoints from uepg VMware VDS (VMM-ACI-DC1) dvportgroup ServerNetwork uepg: FRONTEND Master: ServerNetwork uepg: WEB-PROD Master: ServerNetwork vcenter-dc vcenter-dc2 vsphere CLUSTER DEV VMware VDS (VMM-ACI-DC2) dvportgroup ServerNetwork uepg: WEB-DV Master: ServerNetwork When the VM has all correct attributes AND moves to DC1, it goes into production BD: ACME-BD /24, advertise, share BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 185
185 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 186
186 Demo #2 Summary Benefits of ACI Micro Segmentation Combined with Automation Leverage programmable network virtualization and policy to perform complete automation of application rollouts. Seamless segmentation for bare metal and virtual: no bottlenecks. Can use the automation tools of your choice. In the demo using open source Ansible. Orchestration layer needs minimal network knowledge. Works for Microsoft SCVMM, VMware vcenter and bare metal today Network Admin maintains full visibility. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 187
187 Video and Ansible playbooks for demo #2 Ansible Playbooks: Demo Videos: Video Video Video BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 188
188 Reflect for a moment on how would you accomplish the same thing if running a traditional network
189 By using ACI, the Ansible playbook has no need to keep details of any rack, any switch, any port, any VLAN, any IP Address BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 190
190 ACI enables micro segmentation that you can deploy in a gradual and flexible way. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 191
191 Some people will do static configurations using the GUI or the NX-OS CLI BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 192
192 and others will use automation tools BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 193
193 But you can certainly do a bit of both. BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 194
194 BRKACI Cisco and/or its affiliates. All rights reserved. Cisco Public 195
195 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkaci Cisco and/or its affiliates. All rights reserved. Cisco Public
196 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public
Microsegmentation with Cisco ACI
This chapter contains the following sections:, page 1 Microsegmentation with the Cisco Application Centric Infrastructure (ACI) provides the ability to automatically assign endpoints to logical security
More informationMicrosegmentation with Cisco ACI
This chapter contains the following sections:, page 1 Microsegmentation with the Cisco Application Centric Infrastructure (ACI) provides the ability to automatically assign endpoints to logical security
More informationRunning RHV integrated with Cisco ACI. JuanLage Principal Engineer - Cisco May 2018
Running RHV integrated with Cisco ACI JuanLage Principal Engineer - Cisco May 2018 Agenda Why we need SDN on the Data Center What problem are we solving? Introduction to Cisco Application Centric Infrastructure
More informationIntra-EPG Isolation Enforcement and Cisco ACI
This chapter contains the following sections: Intra-EPG Isolation for VMware VDS or Microsoft vswitch, on page 1 Intra-EPG Isolation Enforcement for Cisco AVS, on page 6 Intra-EPG Isolation Enforcement
More information2018 Cisco and/or its affiliates. All rights reserved.
Beyond Data Center A Journey to self-driving Data Center with Analytics, Intelligent and Assurance Mohamad Imaduddin Systems Engineer Cisco Oct 2018 App is the new Business Developer is the new Customer
More informationVirtual Machine Manager Domains
This chapter contains the following sections: Cisco ACI VM Networking Support for Virtual Machine Managers, page 1 VMM Domain Policy Model, page 3 Virtual Machine Manager Domain Main Components, page 3,
More informationIntuit Application Centric ACI Deployment Case Study
Intuit Application Centric ACI Deployment Case Study Joon Cho, Principal Network Engineer, Intuit Lawrence Zhu, Solutions Architect, Cisco Agenda Introduction Architecture / Principle Design Rollout Key
More informationCisco Application Centric Infrastructure and Microsoft SCVMM and Azure Pack
White Paper Cisco Application Centric Infrastructure and Microsoft SCVMM and Azure Pack Introduction Cisco Application Centric Infrastructure (ACI) is a next-generation data center fabric infrastructure
More informationIntra-EPG Isolation Enforcement and Cisco ACI
This chapter contains the following sections: Intra-EPG Isolation for VMware vds, page 1 Intra-EPG Isolation Enforcement for Cisco AVS, page 5 Intra-EPG Isolation for VMware vds Intra-EPG Isolation is
More informationBuilding NFV Solutions with OpenStack and Cisco ACI
Building NFV Solutions with OpenStack and Cisco ACI Domenico Dastoli @domdastoli INSBU Technical Marketing Engineer Iftikhar Rathore - INSBU Technical Marketing Engineer Agenda Brief Introduction to Cisco
More informationACI 3.0 update. Brian Kvisgaard, System Engineer - Datacenter Switching
ACI 3.0 update Brian Kvisgaard, System Engineer - Datacenter Switching bkvisgaa@cisco.com ACI Anywhere - Vision Any Workload, Any Location, Any Cloud ACI Anywhere Remote PoD Multi-Pod / Multi-Site Hybrid
More informationCisco ACI Virtual Machine Networking
This chapter contains the following sections: Cisco ACI VM Networking Supports Multiple Vendors' Virtual Machine Managers, page 1 Virtual Machine Manager Domain Main Components, page 2 Virtual Machine
More informationIntegration of Hypervisors and L4-7 Services into an ACI Fabric. Azeem Suleman, Principal Engineer, Insieme Business Unit
Integration of Hypervisors and L4-7 Services into an ACI Fabric Azeem Suleman, Principal Engineer, Insieme Business Unit Agenda Introduction to ACI Review of ACI Policy Model Hypervisor Integration Layer
More informationCisco HyperFlex Systems
White Paper Cisco HyperFlex Systems Install and Manage Cisco HyperFlex Systems in a Cisco ACI Environment Original Update: January 2017 Updated: March 2018 Note: This document contains material and data
More informationCisco ACI vcenter Plugin
This chapter contains the following sections: About Cisco ACI with VMware vsphere Web Client, page 1 Getting Started with, page 2 Features and Limitations, page 7 GUI, page 12 Performing ACI Object Configurations,
More informationPSOACI Tetration Overview. Mike Herbert
Tetration Overview Mike Herbert Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion
More informationCisco ACI Virtual Machine Networking
This chapter contains the following sections: Cisco ACI VM Networking Supports Multiple Vendors' Virtual Machine Managers, page 1 Virtual Machine Manager Domain Main Components, page 2 Virtual Machine
More informationCisco ACI Virtual Machine Networking
This chapter contains the following sections: Cisco ACI VM Networking Supports Multiple Vendors' Virtual Machine Managers, page 1 Virtual Machine Manager Domain Main Components, page 2 Virtual Machine
More informationPSOACI Why ACI: An overview and a customer (BBVA) perspective. Technology Officer DC EMEAR Cisco
PSOACI-4592 Why ACI: An overview and a customer (BBVA) perspective TJ Bijlsma César Martinez Joaquin Crespo Technology Officer DC EMEAR Cisco Lead Architect BBVA Lead Architect BBVA Cisco Spark How Questions?
More informationCisco Application Policy Infrastructure Controller Data Center Policy Model
White Paper Cisco Application Policy Infrastructure Controller Data Center Policy Model This paper examines the Cisco Application Centric Infrastructure (ACI) approach to modeling business applications
More informationCisco ACI Virtual Machine Networking
This chapter contains the following sections: Cisco ACI VM Networking Supports Multiple Vendors' Virtual Machine Managers, page 1 Virtual Machine Manager Domain Main Components, page 2 Virtual Machine
More informationMP-BGP VxLAN, ACI & Demo. Brian Kvisgaard System Engineer, CCIE SP #41039 November 2017
MP-BGP VxLAN, ACI & Demo Brian Kvisgaard System Engineer, CCIE SP #41039 November 2017 Datacenter solutions Programmable Fabric Classic Ethernet VxLAN-BGP EVPN standard-based Cisco DCNM Automation Modern
More informationACI Multi-Site Architecture and Deployment. Max Ardica Principal Engineer - INSBU
ACI Multi-Site Architecture and Deployment Max Ardica Principal Engineer - INSBU Agenda ACI Network and Policy Domain Evolution ACI Multi-Site Deep Dive Overview and Use Cases Introducing ACI Multi-Site
More informationIntra-EPG Isolation Enforcement and Cisco ACI
This chapter contains the following sections: Intra-EPG Isolation for VMware vds, page 1 Configuring Intra-EPG Isolation for VMware vds using the GUI, page 3 Configuring Intra-EPG Isolation for VMware
More informationACI Terminology. This chapter contains the following sections: ACI Terminology, on page 1. Cisco ACI Term. (Approximation)
This chapter contains the following sections:, on page 1 Alias API Inspector App Center Alias A changeable name for a given object. While the name of an object, once created, cannot be changed, the Alias
More informationCisco ACI Virtual Machine Networking
This chapter contains the following sections: Cisco ACI VM Networking Supports Multiple Vendors' Virtual Machine Managers, page 1 Virtual Machine Manager Domain Main Components, page 2 Virtual Machine
More informationDisclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme
SAI2803BU The Road to Micro- Segmentation with VMware NSX #VMworld #SAI2803BU Disclaimer This presentation may contain product features that are currently under development. This overview of new technology
More informationVerified Scalability Guide for Cisco APIC, Release 3.0(1k) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.0(1k)
Verified Scalability Guide for Cisco APIC, Release 3.0(1k) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.0(1k) Overview 2 General Scalability Limits 2 Fabric Topology, SPAN, Tenants, Contexts
More informationCisco ACI and Cisco AVS
This chapter includes the following sections: Cisco AVS Overview, page 1 Installing the Cisco AVS, page 5 Key Post-Installation Configuration Tasks for the Cisco AVS, page 14 Distributed Firewall, page
More informationCisco Application Centric Infrastructure
Data Sheet Cisco Application Centric Infrastructure What s Inside At a glance: Cisco ACI solution Main benefits Cisco ACI building blocks Main features Fabric Management and Automation Network Security
More informationCisco UCS Director and ACI Advanced Deployment Lab
Cisco UCS Director and ACI Advanced Deployment Lab Michael Zimmerman, TME Vishal Mehta, TME Agenda Introduction Cisco UCS Director ACI Integration and Key Concepts Cisco UCS Director Application Container
More informationVerified Scalability Guide for Cisco APIC, Release 3.0(1k) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.0(1k)
Verified Scalability Guide for Cisco APIC, Release 3.0(1k) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.0(1k) Overview 2 General Scalability Limits 2 Fabric Topology, SPAN, Tenants, Contexts
More informationVirtualization Design
VMM Integration with UCS-B, on page 1 VMM Integration with AVS or VDS, on page 3 VMM Domain Resolution Immediacy, on page 6 OpenStack and Cisco ACI, on page 8 VMM Integration with UCS-B About VMM Integration
More informationCisco ACI Terminology ACI Terminology 2
inology ACI Terminology 2 Revised: May 24, 2018, ACI Terminology Cisco ACI Term Alias API Inspector App Center Application Policy Infrastructure Controller (APIC) Application Profile Atomic Counters Alias
More information2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
2018 Cisco and/or its affiliates. All rights reserved. Cisco Public PSODCN-1030 Intent Based Systems Deliver Automation Dave Malik Cisco Fellow and Chief Architect Advanced Services @dmalik2 2018 Cisco
More informationLayer 4 to Layer 7 Design
Service Graphs and Layer 4 to Layer 7 Services Integration, page 1 Firewall Service Graphs, page 5 Service Node Failover, page 10 Service Graphs with Multiple Consumers and Providers, page 12 Reusing a
More informationCisco Tetration Analytics Demo. Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH
Cisco Tetration Analytics Demo Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH Agenda Introduction Theory Demonstration Innovation Through Engineering
More informationHybrid Cloud Solutions
Hybrid Cloud Solutions with Cisco and Microsoft Innovation Rob Tappenden, Technical Solution Architect rtappend@cisco.com March 2016 Today s industry and business challenges Industry Evolution & Data Centres
More informationApplication Centric Infrastructure
Application Centric Infrastructure Design pro řešení na zelené louce i do stávajícího DC DCA4 Miroslav Brzek, Systems Engineer Agenda Modern DC infrastructure Customer requirements What s Application Centric
More informationCisco ACI Multi-Site Fundamentals Guide
First Published: 2017-08-10 Last Modified: 2017-10-09 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
More informationWorking with Contracts
Contracts, page 1 Filters, page 9 Taboo Contracts, page 12 Inter-Tenant Contracts, page 15 Contracts Contracts provide a way for the Cisco Application Centric Infrastructure (ACI) administrator to control
More informationTetration Hands-on Lab from Deployment to Operations Support
LTRACI-2184 Tetration Hands-on Lab from Deployment to Operations Support Furong Gisiger, Solutions Architect Lawrence Zhu, Sr. Solutions Architect Cisco Spark How Questions? Use Cisco Spark to communicate
More informationService Graph Design with Cisco Application Centric Infrastructure
White Paper Service Graph Design with Cisco Application Centric Infrastructure 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 101 Contents Introduction...
More informationCisco Application Centric Infrastructure (ACI) - Endpoint Groups (EPG) Usage and Design
White Paper Cisco Application Centric Infrastructure (ACI) - Endpoint Groups (EPG) Usage and Design Emerging IT technologies have brought about a shift from IT as a cost center to IT as a business driver.
More informationDesign Guide for Cisco ACI with Avi Vantage
Page 1 of 23 Design Guide for Cisco ACI with Avi Vantage view online Overview Cisco ACI Cisco Application Centric Infrastructure (ACI) is a software defined networking solution offered by Cisco for data
More informationSchema Management. Schema Management
, page 1 Creating a Schema Template, page 2 Configuring an Application Profile, page 2 Configuring a Contract, page 3 Configuring a Bridge Domain, page 4 Configuring a VRF for the Tenant, page 4 Configuring
More informationCisco ACI with Cisco AVS
This chapter includes the following sections: Cisco AVS Overview, page 1 Cisco AVS Installation, page 6 Key Post-Installation Configuration Tasks for the Cisco AVS, page 43 Distributed Firewall, page 62
More informationConfiguring Policy-Based Redirect
About Policy-Based Redirect, on page 1 About Multi-Node Policy-Based Redirect, on page 3 About Symmetric Policy-Based Redirect, on page 3 Policy Based Redirect and Hashing Algorithms, on page 4 Policy-Based
More information5 days lecture course and hands-on lab $3,295 USD 33 Digital Version
Course: Duration: Fees: Cisco Learning Credits: Kit: DCAC9K v1.1 Cisco Data Center Application Centric Infrastructure 5 days lecture course and hands-on lab $3,295 USD 33 Digital Version Course Details
More informationNew and Changed Information
This chapter contains the following sections:, page 1 The following table provides an overview of the significant changes to this guide for this current release. The table does not provide an exhaustive
More informationCisco SDN 解决方案 ACI 的基本概念
Cisco SDN 解决方案 ACI 的基本概念 Presented by: Shangxin Du(@shdu)-Solution Support Engineer, Cisco TAC Aug 26 th, 2015 2013 Cisco and/or its affiliates. All rights reserved. 1 Type Consumption Delivery Big data,
More informationDisclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme
NET1350BUR Deploying NSX on a Cisco Infrastructure Jacob Rapp jrapp@vmware.com Paul A. Mancuso pmancuso@vmware.com #VMworld #NET1350BUR Disclaimer This presentation may contain product features that are
More informationCisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003
Cisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003 Agenda ACI Introduction and Multi-Fabric Use Cases ACI Multi-Fabric Design Options ACI Stretched Fabric Overview
More informationImplementing Container Application Platforms with Cisco ACI
BRKDCN-2627 Implementing Container Application Platforms with Cisco ACI Andres Vega Product Manager, Engineering Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session
More informationReal World ACI Deployment and Migration Kannan Ponnuswamy, Solutions Architect BRKACI-2601
Real World ACI Deployment and Migration Kannan Ponnuswamy, Solutions Architect BRKACI-2601 Icons and Terms APIC Application Policy Infrastructure Controller (APIC) Cisco Nexus 9500 Cisco Nexus 9300 Nexus
More informationCisco CloudCenter Solution with Cisco ACI: Common Use Cases
Cisco CloudCenter Solution with Cisco ACI: Common Use Cases Cisco ACI increases network security, automates communication policies based on business-relevant application requirements, and decreases developer
More informationNetworking Domains. Physical domain profiles (physdomp) are typically used for bare metal server attachment and management access.
This chapter contains the following sections:, on page 1 Bridge Domains, on page 2 VMM Domains, on page 2 Configuring Physical Domains, on page 4 A fabric administrator creates domain policies that configure
More informationCisco ACI Virtualization Guide, Release 2.2(1)
First Published: 2017-01-18 Last Modified: 2017-07-14 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
More informationMigration from Classic DC Network to Application Centric Infrastructure
Migration from Classic DC Network to Application Centric Infrastructure Kannan Ponnuswamy, Solution Architect, Cisco Advanced Services Acronyms IOS vpc VDC AAA VRF STP ISE FTP ToR UCS FEX OTV QoS BGP PIM
More informationSegmentation. Threat Defense. Visibility
Segmentation Threat Defense Visibility Establish boundaries: network, compute, virtual Enforce policy by functions, devices, organizations, compliance Control and prevent unauthorized access to networks,
More informationDesign Guide to run VMware NSX for vsphere with Cisco ACI
White Paper Design Guide to run VMware NSX for vsphere with Cisco ACI First published: January 2018 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page
More informationReal World ACI Deployment and Migration
Real World ACI Deployment and Migration #clmel Kannan Ponnuswamy Solution Architect Cisco Advanced Services Icons and Terms APIC Application Policy Infrastructure Controller (APIC) Cisco Nexus 9500 Cisco
More informationCisco Tetration Analytics + Demo. Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH
Cisco Tetration Analytics + Demo Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH Agenda Introduction Theory Demonstration Innovation Through Engineering
More informationCisco ACI Virtualization Guide, Release 2.2(2)
First Published: 2017-04-11 Last Modified: 2018-01-31 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
More informationCisco ACI Multi-Site, Release 1.1(1), Release Notes
Cisco ACI Multi-Site, Release 1.1(1), Release Notes This document describes the features, caveats, and limitations for the Cisco Application Centric Infrastructure Multi-Site software. The Cisco Application
More informationIntegration of Hypervisors and L4-7 Services into an ACI Fabric
Integration of Hypervisors and L4-7 Services into an ACI Fabric Bradley Wong Principal Engineer, INSBU Technical Marketing #clmel This session provides a technical introduction to how the ACI fabric handles
More informationData Center and Cloud Automation
Data Center and Cloud Automation Tanja Hess Systems Engineer September, 2014 AGENDA Challenges and Opportunities Manual vs. Automated IT Operations What problem are we trying to solve and how do we solve
More informationConfiguring Cisco Nexus 9000 Series Switches in ACI Mode (DCAC9K) v3.0
Configuring Cisco Nexus 9000 Series Switches in ACI Mode (DCAC9K) v3.0 What you ll learn in this course The Configuring Cisco Nexus 9000 Series Switches in ACI Mode (DCAC9K) v3.0 course is designed for
More informationConfiguring Policy-Based Redirect
About Policy-Based Redirect, page 1 About Symmetric Policy-Based Redirect, page 8 Policy Based Redirect and Hashing Algorithms, page 8 Using the GUI, page 9 Using the NX-OS-Style CLI, page 10 Verifying
More informationMulti-Site Use Cases. Cisco ACI Multi-Site Service Integration. Supported Use Cases. East-West Intra-VRF/Non-Shared Service
Cisco ACI Multi-Site Service Integration, on page 1 Cisco ACI Multi-Site Back-to-Back Spine Connectivity Across Sites Without IPN, on page 8 Bridge Domain with Layer 2 Broadcast Extension, on page 9 Bridge
More informationCisco UCS Director Tech Module Cisco Application Centric Infrastructure (ACI)
Cisco UCS Director Tech Module Cisco Application Centric Infrastructure (ACI) Version: 1.0 September 2016 1 Agenda Overview & Architecture Hardware & Software Compatibility Licensing Orchestration Capabilities
More informationPasiruoškite ateičiai: modernus duomenų centras. Laurynas Dovydaitis Microsoft Azure MVP
Pasiruoškite ateičiai: modernus duomenų centras Laurynas Dovydaitis Microsoft Azure MVP 2016-05-17 Tension drives change The datacenter today Traditional datacenter Tight coupling between infrastructure
More informationCisco Tetration Analytics
Cisco Tetration Analytics Enhanced security and operations with real time analytics John Joo Tetration Business Unit Cisco Systems Security Challenges in Modern Data Centers Securing applications has become
More informationCisco ACI Virtualization Guide, Release 2.1(1)
First Published: 2016-10-02 Last Modified: 2017-05-09 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
More informationCisco Cloud Architecture with Microsoft Cloud Platform Peter Lackey Technical Solutions Architect PSOSPG-1002
Cisco Cloud Architecture with Microsoft Cloud Platform Peter Lackey Technical Solutions Architect PSOSPG-1002 Agenda Joint Cisco and Microsoft Integration Efforts Introduction to CCA-MCP What is a Pattern?
More informationIntegration of Hypervisors & L4-7 Services with ACI
Integration of Hypervisors & L4-7 Services with ACI Bradley Wong Principal Engineer, INSBU @brawong Maurizio Portolani Distinguished TME, INSBU This session provides a technical introduction to how the
More informationIntegrating Cisco UCS with Cisco ACI
Integrating Cisco UCS with Cisco ACI Marian Klas, mklas@cisco.com Systems Engineer Data Center February 2015 Agenda: Connecting workloads to ACI Bare Metal Hypervisors UCS & APIC Integration and Orchestration
More informationACI Fabric Endpoint Learning
White Paper ACI Fabric Endpoint Learning 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 45 Contents Introduction... 3 Goals of this document...
More informationModeling an Application with Cisco ACI Multi-Site Policy Manager
Modeling an Application with Cisco ACI Multi-Site Policy Manager Introduction Cisco Application Centric Infrastructure (Cisco ACI ) Multi-Site is the policy manager component used to define intersite policies
More informationConfiguring APIC Accounts
This chapter contains the following sections: Adding an APIC Account, page 1 Viewing APIC Reports, page 3 Assigning an APIC account to a Pod, page 15 Handling APIC Failover, page 15 Adding an APIC Account
More informationDevNet Technical Breakout: Introduction to ACI Programming and APIs.
DevNet Technical Breakout: Introduction to ACI Programming and APIs. Michael Cohen Agenda Introduction to ACI ACI Policy ACI APIs REST API Python API L4-7 Scripting Opflex 3 Application Centric Infrastructure
More informationbelieve in more SDN for Datacenter A Simple Approach
believe in more SDN for Datacenter A Simple Approach 1 Agenda ACI Overview Fabric Policy Constructs Hypervisor Support A migra>on scenario One management umbrella: UCS Director Q&A 2 Applica,on Language
More informationDeploying Cloud-Agnostic Applications with Cisco CloudCenter
LTRCLD-2303 Deploying Cloud-Agnostic Applications with Cisco CloudCenter Zack Kielich CloudCenter Product Manager Vince Motto Sr. Technical Leader Andrew Horrigan Consulting Engineer Matt Tarkington Consulting
More informationConfiguring Policy-Based Redirect
About Policy-Based Redirect, page 1 About Symmetric Policy-Based Redirect, page 8 Using the GUI, page 8 Using the NX-OS-Style CLI, page 10 Verifying a Policy-Based Redirect Configuration Using the NX-OS-Style
More informationCisco ACI vpod. One intent: Any workload, Any location, Any cloud. Introduction
Cisco ACI vpod One intent: Any workload, Any location, Any cloud Organizations are increasingly adopting hybrid data center models to meet their infrastructure demands, to get flexibility and to optimize
More informationPage 2
Page 2 Mgmt-B, vmotion-a vmotion-b VMM-Pool-B_ Connection-B -Set-A Uplink-Set-A Uplink-Set-B ACI-DC Standard Aggregation L3 Switch Configuration for existing Layer 2 : Nexus 6K-01 switch is
More informationDeploy Microsoft SQL Server 2014 on a Cisco Application Centric Infrastructure Policy Framework
White Paper Deploy Microsoft SQL Server 2014 on a Cisco Application Centric Infrastructure Policy Framework August 2015 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
More informationCisco IT Compute at Scale on Cisco ACI
Cisco IT ACI Deployment White Papers Cisco IT Compute at Scale on Cisco ACI This is the fourth white paper in a series of case studies that explain how Cisco IT deployed ACI to deliver improved business
More informationLayer 4 to Layer 7 Service Insertion, page 1
This chapter contains the following sections:, page 1 Layer 4 to Layer 7 Policy Model, page 2 About Service Graphs, page 2 About Policy-Based Redirect, page 5 Automated Service Insertion, page 12 About
More informationCisco ACI Simulator Release Notes, Release 1.1(1j)
Cisco ACI Simulator Release Notes, This document provides the compatibility information, usage guidelines, and the scale values that were validated in testing this Cisco ACI Simulator release. Use this
More informationAutomation of Application Centric Infrastructure (ACI) with Cisco UCS Director
Automation of Application Centric Infrastructure (ACI) with Cisco UCS Director Raju Penmetsa @RajuPenmetsa1 Data Center Group Agenda IT Complexity Solution for ACI Automation Cisco UCS Director Application
More informationCustomer s journey into the private cloud with Cisco Enterprise Cloud Suite
Customer s journey into the private cloud with Cisco Enterprise Cloud Suite Peter Charpentier, Senior Solution Architect, Cisco AS Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker
More informationQuestion No: 3 Which configuration is needed to extend the EPG out of the Cisco ACI fabric?
Volume: 60 Questions Question No: 1 You discover that a VLAN is not enabled on a leaf port even though on EPG is provisioned. Which cause of the issue is most likely true? A. Cisco Discovery protocol is
More informationBRKACI-2504 Cisco Security on ACI, MicroSegmentation, ASA, FirePower. Brenden Buresh DC Technical Solutions Architect
BRKACI-2504 Cisco Security on ACI, MicroSegmentation, ASA, FirePower Brenden Buresh DC Technical Solutions Architect Agenda Introduction Data Center Security ACI Fundamental Building Blocks ACI Tenant
More informationCisco VTS. Enabling the Software Defined Data Center. Jim Triestman CSE Datacenter USSP Cisco Virtual Topology System
Cisco Virtual Topology System Cisco VTS Enabling the Software Defined Data Center Jim Triestman CSE Datacenter USSP jtriestm@cisco.com VXLAN Fabric: Choice of Automation and Programmability Application
More informationTitle DC Automation: It s a MARVEL!
Title DC Automation: It s a MARVEL! Name Nikos D. Anagnostatos Position Network Consultant, Network Solutions Division Classification ISO 27001: Public Data Center Evolution 2 Space Hellas - All Rights
More informationIntegration of Multi-Hypervisors with Application Centric Infrastructure
Integration of Multi-Hypervisors with Application Centric Infrastructure BRKAPP-9005 Bradley Wong Principal Engineer The Application Centric Infrastructure (ACI) is adopting an innovative approach to addressing
More informationCisco Tetration Analytics
Cisco Tetration Analytics Real-time application visibility and policy management using advanced analytics Yogesh Kaushik, Sr. Director Product Management PSOACI-2100 Agenda Market context Introduction:
More informationSDN Security BRKSEC Alok Mittal Security Business Group, Cisco
SDN Security Alok Mittal Security Business Group, Cisco Security at the Speed of the Network Automating and Accelerating Security Through SDN Countering threats is complex and difficult. Software Defined
More informationVirtuální firewall v ukázkách a příkladech
Praha, hotel Clarion 10. 11. dubna 2013 Virtuální firewall v ukázkách a příkladech T-SEC3 / L2 Tomáš Michaeli Cisco 2013 2011 Cisco and/or its affiliates. All rights reserved. Cisco Connect 1 Agenda VXLAN
More information