Building an End-End Policy Driven Secure Hybrid Cloud DC Architecture
|
|
- Clifton Norris
- 5 years ago
- Views:
Transcription
1
2 BRKSEC-2980 Building an End-End Policy Driven Secure Hybrid Cloud DC Architecture David Jansen CCIE #5952 DSE
3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brksec Cisco and/or its affiliates. All rights reserved. Cisco Public
4 Abstract: Building an End-End Policy Driven Secure Hybrid Cloud DC Architecture [BRKSEC-2980] This session will introduce a hybrid multi cloud design with workloads deployed in a combination of on premise DC's and colocation facility based cloud hubs w/access to public IaaS services and SaaS based applications. We will introduce embedded fabric based network security services using multi-tenancy, network segmentation, and micro-segmentation to provide security controls. We will expand fabric provided security to incorporate attached L4-L7 stateful security services for more rigorous compliance and regulatory. Finally, we will review protecting cloud based workloads, creating cloud aggregation transit security hubs, and using virtualized security services (VNF s). The goal is to outline a security framework architecture that highlights the 5-6 critical security technologies customers should be factoring into design, architecture, and services to most effectively protect themselves. Employing this foundational blueprint across both Campus, on-premises DC and cloud workloads will enable customers to add more specialized security capabilities and services in the future to further strengthen their aggregate posture. Included in this design and covered in this session are the following key technology pillars that represent the security baseline: Identity management Segmentation & multi-tenancy Visibility & telemetry Next generation FW / Malware defense Cloud broker/data protection Security & policy communications
5 David Jansen, CCIE #5952 Distinguished System Engineer (DSE) Global Enterprise Segment Platforms & BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 5
6 Home is Season in Michigan is? Winter. Where is has been 25 degrees F; which is about -32 C Michigan Known for? But.. Most importantly: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 6
7 Reference Session BRKSEC-2048: Demystifying ACI Security BRKSEC-2059: Deploying ISE in a Dynamic Environment BRKSEC-3699: Designing ISE for Scale & High Availability BRKSEC-3229: ISE under magnifying glass. How to troubleshoot ISE BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 7
8 Agenda Problem Statement + Intro Data Center / co-lo / Cloud Campus / Branch Data Center + Campus / Branch Extending Policy to Public IaaS Transit VPC with TrustSec Cisco Cloud Policy Platform (CPP) ACI Anywhere Policy Discovery, Visibility and Enforcement with Tetration Putting it all together Q&A
9 Problem Statement There are a multitude of domains at play in modern IT infrastructure Historically domains have been totally independent and not federated Operations need to move towards a consolidated view with federated information across the different policy domains BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 9
10 Where should you start? Business case regulatory PCI, HIPPA, GOV t, BSI, SSI results in segmentation (put scope around the segmentation) Exec sponsor have to have Start with PIN vs use-case; ie. start at the DC first or do you start with the users What tools do you have to help with process? Help me deploy segmentation w/o being fired BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 10
11 Who Defines the policy? Compliance / Policy (Risk Management (IRM)) SecOps DevOps NetOps BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 11
12 The Goal: To build an end-to-end, Branch to Campus/WAN to DC/Cloud, resulting in: End to End Visibility End to End Segmentation End to End Policy Infrastructure/ Users/Devices Groups SecurityServices Groups Applications/Data Normalize policy constructs used across multiple domains BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 12
13 Group-Based Policy Domains However - Group membership is not shared between domains Policy domains managed independently (increased Opex) Security Groups Network Security Groups Security Groups Security Groups ACI Endpoint Groups (EPG) ISE/TrustSec (SGT) Tetration Analytics Platform Clusters Port Groups Object Groups / Secure Groups StealthWatch host-groups Cloud environments and vendor-specific domains are increasingly using groupbased policies BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 13
14 All of the components Level Set Policy Consumption / Enforcement: Policy Definition: Cisco Tetration Analytics Platform APIC ç ç Cisco Tetration Analytics Platform APIC Stealthwatch Cloud Policy Platform 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
15 Data Center
16 Where are the Applications / Data being deployed Private First Cloud All-In Cloud First (Hybrid) Red Employee Vendor Partner Customer Badge Employee Red Badge Vendor Partner Customer Employee Red Badge Vendor Partner Customer Private DC Public Cloud Public Cloud Private DC N e u tra l F a c ility DMZ Public Cloud Apps Internet SAAS Internet SAAS Apps ~50% Apps Apps Internet SAAS ~50% Apps Apps BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16
17 ACI Fabric Overview Outside QoS Policy LB Service Policy Web QoS Policy App QoS Policy DB FW Service Policy Access Policy Intranet / WAN / Campus APIC APIC Extranet Internet BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17
18 ACI Policy Model Tenant CiscoLive Barcelona Context (VRF A) Context (VRF B) Bridge Domain (BD) Bridge Domain (BD) Bridge Domain (BD) Subnet A Subnet B EPG A EPG B EPG C EPG = Group Applications Applications Applications BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18
19 Network Centric Mode VLAN = EPG EPG-A EPG-B EPG-n - Connect non-aci networks to ACI leaf nodes - Connect at L2 with VLAN trunks (802.1Q) - Objective: Map VLANs to EPGs, extend policy model to non-aci networks Endpoint(s) Endpoint(s) Endpoint(s) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 19
20 ACI Policy Model: EPG To EPG Communication EPG-A Allow HTTP Allow ICMP EPG-n Provides policies Zero Trust Security Model Consumes policies - Need to define a Contract (Policy); - A contract is used to specify the interaction between two EPG(s), a provider/consumer pair. - The goal is to provide a global policy view that focuses on improving automation and scalability. - You have the option to change the default from white-list to Unenforced VRFs; IP Any Any. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20
21 ACI Policy Model: uepg Communication uepg Allow HTTP Allow ICMP BM Provides policies Consumes policies Zero Trust Security Model BM C BM - Need to define a Contract (Policy); - A contract is used to specify the interaction within an uepg(s), a provider/consumer pair. - The goal is to provide a global policy view that focuses on improving automation and scalability. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21
22 Campus / Branch
23 ISE/SDA/TrustSec Policy Types DNA-C + SDA Access Policy (ISE) Authentication & Authorization Who goes in which group Based on which criteria Authentication methods Access Control Policy (TrustSec) Who can access what Rules for x-group access Permit/deny group to group DB BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23
24 SD-Access High Level Topology Internet / WAN Fabric border-node Fabric Core Intermediate-nodes Fabric Aggregation Intermediate-node Fabric edge-node: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 24
25 SDA/TrustSec Policy Model Virtual-Network (VRF A) Subnet A Virtual Network (VRF B) Subnet B -VLAN -Interface -Host-IP/32 -VLAN -Interface -Host-IP/32 -VLAN -Interface -Host-IP/32 SGT A SGT B SGT C SGT = Group Users Users Users BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 25
26 Cisco SDA(TrustSec) Simplified access control with Group Based Policy Enforcement Group Based Policies ACLs, Firewall Rules Shared Services Application Servers Propagation Carry Group context through the fabric using only SGT Enforcement Border Node or Firewall ISE Classification Static or Dynamic SGT assignments Access Node Access Node Enforcement points receives policy for only what is connected Employee Tag Supplier Tag Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag VLAN A VLAN B BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 26
27 SDA Access Control Two Level Hierarchy Macro Level Network Virtual Network (VN) First level Segmentation that ensures zero communication between specific groups. Ability to consolidate multiple networks into one management plane. Building Management VN Campus Users VN BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 27
28 SDA Access Control Two Level Hierarchy Micro Level Building Management VN Finance SG Network Employee SG Campus Users VN Scalable Group (SG) Second level Segmentation ensures role based access control between two groups within a Virtual Network. Provides the ability to segment the network into either line of businesses or functional blocks. Can also write a policy such as: sgt1 <_> sgt1 = deny ip BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28
29 Data Center + Campus/Branch
30 ISE/TrustSec/SDA + APIC Indentity APIC ISE BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 30
31 Enabling Group-Based Policies Across the Enterprise Goal: Consistent Security Policy Groups and Identity shared between TrustSec and ACI domains Allow TrustSec security groups to be used in ACI policies Allow ACI EndPoint Groups to be used in policies across the Enterprise Simplified management of security appliances using both TrustSec and ACI classifications TrustSec Policy Domain ACI Policy Domain Campus / Branch / Non-ACI DC TrustSec Policy Domain ISE 2.1 APIC Data Center APIC Policy Domain Voice Employee Supplier BYOD Voice VLAN Data VLAN TrustSec domain ACI Fabric Web App DB BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 31
32 Enabling Group-based Policies across the Enterprise DB Web SG-FW SG-ACL Contract Campus / Branch / Non ACI DC TrustSec Policy Domain APIC Data Center APIC Policy Domain Shared Policy Groups Voice Employee Supplier BYOD Voice VLAN Data VLAN TrustSec domain ACI Fabric Web App DB BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 32
33 TrustSec/SDA SGT Info Used in ACI Policies SD Access Policy Domain ISE ACI Policy Domain Network Layer Controller Layer ISE Exchanges: SGT Name: Auditor SGT Binding = Controller Layer EPG Name = Auditor Groups= PCI EPG Auditor SRC: DST: SGT: 5 Campus Fabric SRC: DST: Plain Ethernet/IP x SRC: DST: ACI EPG Border Leaf (N9K) ACI Spine (N9K) ACI Leaf (N9K) PCI Scalable Groups available in ACI Policies Network Layer BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 33
34 ACI EPG Info Used in SDA/TrustSec Policies SD Access Policy Domain ISE ACI Policy Domain ISE Retrieves: EPG Name: PCI EPG Endpoint= Controller Layer Propagated with SXP: Auditor = PCI EPG = PCI EPG Endpoint = Network Layer Controller Layer SRC: DST: SGT: Auditor Retrieved Groups: Auditor, PCI EPG Campus Fabric Auditor Endpoint Groups available in TrustSec Policies Plain Ethernet/IP ACI Border Leaf (N9K) ACI Spine (N9K) ACI Border Leaf (N9K) PCI Network Layer BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 34
35 Firewall Deployment Option(s) Single VN - Endpoint to Application ISE SGT in Campus/WAN SGT in-line Tagging (optional) Scalable Group Tags ACI EPGs B 5 SRC: B Firewall B SXP/PXGRID PCI_Users DST: SRC: SGT: 5 DST: PCI_App IP Address SGT PCI Users LOB2 Users PCI_DB PCI_App_EPG SGT DGT SGFW PCI_Users PCI_App permit ip BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 35
36 Problem Statement DC Automation!= Security Automation Customer Deployment Example Large Global Company has 200+ perimeter firewalls managed by Firewall Console, external to ACI ACI is being used to instantiate applications that are consumed with by business partners Each time an application was enabled in ACI via automation, there would be no automation of the fact that a new workload needed to be represented in the Firewall console for the 200+ perimeter firewalls Hence a fall back to a manual process had to be invoked to enable firewall policies on the 200+ perimeter firewalls DC Automation did not equal Security Automation BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 36
37 TrustSec/ACI interop = Security Automation Customer Deployment Example Supplier1 Supplier2 Joint Venture1 APIC-DC SGT-aware StealthWatch Voice Non- Employee Development BYOD Compliant ACI Automation of applications triggers learning of the IP/EPG to be shared to ISE. ISE maps the IP/EPG to SGTs. These SGTs are then shared with the firewalls via pxgrid. The Firewalls are updated with the new IP/SGT(EPG) and policy is invoked automatically IP/SGT(EPG) is also shared with Stealthwatch TrustSec/ACI interoperability via ISE = Security Automation - This means that ACI EPGs are now relevant to the 200+ perimeter firewalls ACI Info shared using Security Group Tags ACI Group Info www Web Prod App Dev App PCI App Database BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 37
38 Extending Policy to Public IaaS
39 Agenda Enabling Group-based Policies w/ AWS Cisco Cloud Policy Platform (CPP) ACI Anywhere Tetration Policy Discovery, Visibility and Enforcement Putting it all together
40 Enabling Group-based Policies w/ AWS CSR NGFWv CSR NGFWv ISE BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 40
41 Extending Policy & Control into AWS Leverage Security Group Tags (SGT) within AWS Transit VPC environment Today: Configure SGT s and ISE controls on the CSRv/ASAv within the AWS Transit VPC environment. Then manually create policy groups within ISE to test managing segmentation and control between VPC s. Roadmap: Leverage CPP to import AWS Transit VPC security groups into ISE dynamically instead of manually creating policy groups. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 41
42 AWS Transit VPC Simplifying Segmentation and Control dev prod CL VPC1 App 1 VPC2 App 2 VPC3 App 3 Dev VPC Tag Prod VPC Tag Cisco Live Tag Control Traffic between VPC s Simplify Security Configurations Scale Security Group Control Single Control Point Employee Developer Guest Non-Compliant App 1 (VPC1) App 2 (VPC2) App 3 (VPC3) X X X X X X AZ1 Transit VPC Dynamic Route Peering Data Center Direct Connect AZ2 ISE Identity & Access Control Policy Enforcement Control Access to spoke VPC s based on SGT Tags and Policy Enforcement within the Transit VPC Hub CSRv s Employee Tag Developer Tag Guest Tag Non-Compliant Tag
43 AWS Transit VPC Simplifying Segmentation and Control Dev VPC Tag Prod VPC Tag Cisco Live Tag Dev Prod CiscoLive VPC /16 VPC /16 VPC3 Control Traffic between VPC s Simplify Security Configurations Scale Security Group Control Single Control Point Secure Internet Breakout by enabling Snort IPS on CSR Employee Developer Dev VPC Prod VPC CiscoLive Dev (VPC1) Prod (VPC2) CiscoLive (VPC3) AZ1 Transit VPC Internet X X X CSR1 CSR2 Dynamic Route Peering ASR Direct Connect X ISE X Data Center /16 Identity & Access Control Policy Enforcement AZ2 - Control Spke to Spoke - Control User to App - Control App to App - Control Internet Employee Tag Developer Tag
44 AWS Transit VPC Simplifying Segmentation and Control Dev VPC Tag Prod VPC Tag Cisco Live Tag Dev Prod CiscoLive VPC1 Internet /16 VPC /16 VPC3 Control Traffic between VPC s Simplify Security Configurations Scale Security Group Control Single Control Point Secure Internet Breakout by enabling Snort IPS on CSR Employee Developer Dev VPC Prod VPC CiscoLive Dev (VPC1) Prod (VPC2) CiscoLive (VPC3) AZ1 Transit VPC Internet X X X CSR1 ASR CSR2 Dynamic Route Peering Direct Connect X ISE X Data Center /16 Identity & Access Control Policy Enforcement AZ2 - Control Spke to Spoke - Control User to App - Control App to App - Control Internet Employee Tag Developer Tag
45 Cisco Cloud Policy Platform (CPP)
46 Enabling Group-based Policies across the Enterprise Goal: Share group information between cloud domains and Enterprise to simplify policy management In Progress Future Future Share classifications to reduce SecOps effort, deliver consistency and simplify audit tasks ODL Groups Available DNA-C/ISE Cloud Policy Platform APIC ACI EndPoint Groups Enable adoption of different cloud environments without duplicating group policy management Enterprise Security Groups BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 46
47 Campus User to Cloud Access Control Typical Scenarios Policy enforced in enterprise network OR cloud (Virtual Firewall or SGACLcapable virtual routers e.g ASAv, CSR-1000v, ISRv, FTD AWS Security Groups Prod App Dev App Prod App Dev App Azure Network Security Groups Avoids policy changes as new workloads are provisioned in clouds Policy Enforcement Options Policy Enforcement Options Dev Apps Prod Apps Employee X Enterprise Network ISE Ent Policy Domain Employee Tag Developer Tag Guest Tag Non-Compliant Tag Developer X Guest X X Non Compliant Employee Voice Voice Employee Developer Guest Non Compliant BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 47
48 Define Classification Policy AWS attributes (AWS tags, Security Groups) Info rendered to Cisco network as SGT BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 48
49 Using Group Information From CPP In ISE In Security Appliances for workloads in hybrid cloud and on premise BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 49
50 ACI Anywhere
51 ACI Anywhere - Vision Any Workload, Any Location, Any Cloud ACI Anywhere Remote PoD Multi-Pod / Multi-Site Hybrid Cloud Extension IP WAN IP WAN Remote Location On Premise Public Cloud Security Everywhere Analytics Everywhere Policy Everywhere BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 51
52 ACI Anywhere Multi-Cloud Future Multisite Orchestrator IP Network Site 1 Site 2 Consistent Policy Enforcement on-prem & Public Cloud Automated Inter-connect provisioning Simplified Operations with end-to-end visibility BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 52
53 Policy Discovery, Visibility and Enforcement with Tetration
54 Enabling Group-based Policies across the Enterprise Raw Data Sources (Flow Information): Tetration Software Agents ERSPAN / Out-of-band Sensor Tetration hardware agents (Nx9k) Netflow (v9 & IPFIX) Policy Sources: Zero-Knowledge (Dynamic Discovery) Firewalls ACI ISE AlgoSec / Tufin CMDB Cisco Tetration Analytics Platform BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 54
55 Enabling Group-based Policy Discovery Cisco Tetration Analytics Platform APIC BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 55
56 Security challenges in current Data Centers Brownfields/Cloud migrations How to define a Zero-Trust Model for my current applications? Application-Dependency mapping Discovery-plane How to rapidly deploy that model into ACI? Contracts Filters EPGs BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 56
57 Current Network Centric Deployments Unenforced VRFs EPG: Vlan 10 EPG: Vlan 20 EPG: Vlan 30 EPG: Vlan 40 BM BM BM BM BM BM BM BM EPG: Vlan 31 EPG: Vlan 32 EPG: Vlan 33 VLAN10 == BD10 == EPG10 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 57
58 Tetration Analysis Dependency Mapping Network Centric Tetration Analytics Engine Application Centric VLAN 10 C VLAN 20 C VLAN 30 Cisco Tetration Analytics Platform Web C App C DB BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 58
59 Application Centric Deployments Inter EPG Web App1 Web App2 C C C Web App3 Application X BM BM BM C C C C BM C C C BM BM BM BM C Image Servers Shared Services Database BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 59
60 Application Centric Deployments Inter and Intra EPG Enforcement Web App1 Web App2 C C C Web App3 Application X BM C BM BM C C C C BM C C C BM BM BM BM C Image Servers Shared Services Database BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 60
61 Policy Is Imported & Massaged and Enforced on ACI Tetration Policy BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 61
62 Pervasive Enforcement Tetration Agent Zero Trust White-List Policy Tetration Agent IPSets IPTables Native Endpoint Firewalls Windows Firewall Public Cloud Bare Metal Virtual Cisco ACI TM* Traditional Network* BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 62
63 Tetration Identity with ISE
64 Tetration Identity with ISE Provide the following Benefits: IP to SGT / IP to SGT/User mappings: Give context to flows in a single interface Dynamic Mappings: Support for shared devices where user changes Flow Search by Username, Group or SGT: What were the connections from user X? ADM maps reflecting SGT tags: Which devices or users are accessing the right applications ISE publishes update over the pxgrid message bus Tetration consumes this message bus and annotates the hosts / end-points provided by ISE BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 64
65 ISE Provides Campus Identity to Tetration DCs Enforced Policies For: User: Tony User: Tony or SGT:16=Doctors SGT: 16 (Doctors) App: Patient-Data (EPG) IP: IP: Users via pxgrid Cisco Tetration Analytics Platform Dynamic Policy Generated Applications/Data (Software Sensor) 1) The sensor endpoint is sending Telemetry data 2) The endpoint also authenticates with ISE which notifies our identity repository via pxgrid. 3) Tetration merges the two streams and outputs dynamically generated policy. May not access employee data May access patient records BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 65
66 Policy Enforcement User / SGT based policy enforcement leveraging the Software Enforcement Agent (server side) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 66
67 User to Application Inter EPG L3Out External EPG Employee L3Out External EPG BM BM BM C C C C C C C Web Server Farm Middleware (ie. J) DB Servers X X Doctors C C C BM Image Servers patient-data Imaging Database BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 67
68 How Does It Work? Tetration automatically converts your intent into black and white list rules Intent Rules Block non-production apps talking to production apps Allow Doctors apps to access patient-data Block all HTTP connections that are not destined to web servers SOURCE /8 DEST /8 SOURCE /24 DEST /24 SOURCE * DEST /24 PORT = 80 SOURCE * DEST * PORT = 80 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 68
69 Using Tetration to Drive FW/ASA Configuration Whitelist Policy Recommendation (Available in JSON, XML, and YAML) Validated Whitelist ASA Config (Converted from JSON) { "src_name": External", "dst_name": Domain Controllers", "whitelist": [ { "port": [0, 0], "proto": 1, "action": "ALLOW" }, { "port": [389, 389], "proto": 6, "action": "ALLOW" }, { "port": [445, 445], "proto": 6, "action": "ALLOW" } ] } Standard Tetration whitelist policy is filtered for firewall zones and converted to ASA ACL format. Python Script object network Domain_Controllers host host object network MSSQL_Database host host ! access-list ACL_IN extended permit TCP any object Domain_Controllers eq ldap access-list ACL_IN extended permit TCP any object Domain_Controllers eq 445 access-list ACL_IN extended permit UDP any object MSSQL_Database eq BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 69
70 Using Tetration to Drive ASA Configuration object-group network DB host host host These are clusters that have been discovered by Tetration They are grouped together as object groups in the ASA The definitions in the Clusters section of the JSON export BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 70
71 Using Tetration to Drive ASA Configuration object-group network Patient-Data subnet These are filters that have been uploaded into Tetration based on data from IPAM around subnet descriptions. This is actually the same mechanism that would be used to build a policy to an SGT. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 71
72 Using Tetration to Drive ASA Configuration 3.Policy / contracts: access-list ACL_IN extended permit UDP object DB_VIP object Shared_Services_Mgmt_Net eq domain access-list ACL_IN extended permit UDP object DB_VIP object Shared_Services_Mgmt_Net eq ntp access-list ACL_IN extended permit TCP object Users object Default:Datacenter:Tetration eq https access-list ACL_IN extended permit TCP object Users object Default:Datacenter:Tetration eq 5640 These are the individual policies that have been discovered by Tetration and then filtered so that only the ones that would traverse the interfaces in the ASA based on the ASA routing table are represented. You can find these in the Default Policies section of the JSON BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 72
73 What about the case where there is NAT? SNAT: - Kafka (message bus) Flow-data: - h/w Sensor - OOB sensor BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 73
74 Tetration Visibility
75 Flow Search Search by Username Search by SGT BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 75
76 ADM BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public
77 Compliance, Policy Validation All Flows are tracked 4 ways Permitted, bidirectional flows that match the policy Misdropped, permitted traffic where we have dropped a packet Escaped, bidirectional flows that are against the policy Rejected, uni-directional flows that are against the policy BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 77
78 Putting it all Together
79 APIC BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 79
80 Tetration with StealthWatch Leverage information from Tetration Export workspaces, clusters and applications discovered in Tetration to Stealthwatch Host Groups Cisco StealthWatch Tetration Data (Network Analytics) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 80
81 Tetration with StealthWatch Leverage information from Tetration Monitoring unified Policy Cisco StealthWatch Tetration Data (Network Analytics) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 81
82 Putting it all together: Campus/Branch + DC + Cloud Customer Deployment Example Campus / Branch Cloud / IaaS Users TrustSec + Tetration Enforcement Cloud Policy Platform TrustSec Enforcement APIC Micro-Segmentation / Course Grain policy Stealthwatch ISE Data Center Cisco Tetration Analytics Platform Fine-grain policy BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 82
83 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brksec Cisco and/or its affiliates. All rights reserved. Cisco Public
84 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public
85 Complete your Online Session Evaluation BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 85
86 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 86
87 Thank you
88
2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
2018 Cisco and/or its affiliates. All rights reserved. Cisco Public PSODCN-1030 Intent Based Systems Deliver Automation Dave Malik Cisco Fellow and Chief Architect Advanced Services @dmalik2 2018 Cisco
More informationTetration Hands-on Lab from Deployment to Operations Support
LTRACI-2184 Tetration Hands-on Lab from Deployment to Operations Support Furong Gisiger, Solutions Architect Lawrence Zhu, Sr. Solutions Architect Cisco Spark How Questions? Use Cisco Spark to communicate
More informationPSOACI Tetration Overview. Mike Herbert
Tetration Overview Mike Herbert Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion
More informationCisco SD-Access Policy Driven Manageability
BRKCRS-3811 Cisco SD-Access Policy Driven Manageability Victor Moreno, Distinguished Engineer Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session
More informationCisco UCS Director and ACI Advanced Deployment Lab
Cisco UCS Director and ACI Advanced Deployment Lab Michael Zimmerman, TME Vishal Mehta, TME Agenda Introduction Cisco UCS Director ACI Integration and Key Concepts Cisco UCS Director Application Container
More informationCisco Tetration Analytics Demo. Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH
Cisco Tetration Analytics Demo Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH Agenda Introduction Theory Demonstration Innovation Through Engineering
More informationLayer 4 to Layer 7 Design
Service Graphs and Layer 4 to Layer 7 Services Integration, page 1 Firewall Service Graphs, page 5 Service Node Failover, page 10 Service Graphs with Multiple Consumers and Providers, page 12 Reusing a
More informationIntuit Application Centric ACI Deployment Case Study
Intuit Application Centric ACI Deployment Case Study Joon Cho, Principal Network Engineer, Intuit Lawrence Zhu, Solutions Architect, Cisco Agenda Introduction Architecture / Principle Design Rollout Key
More informationPSOACI Why ACI: An overview and a customer (BBVA) perspective. Technology Officer DC EMEAR Cisco
PSOACI-4592 Why ACI: An overview and a customer (BBVA) perspective TJ Bijlsma César Martinez Joaquin Crespo Technology Officer DC EMEAR Cisco Lead Architect BBVA Lead Architect BBVA Cisco Spark How Questions?
More informationCisco Cloud Architecture with Microsoft Cloud Platform Peter Lackey Technical Solutions Architect PSOSPG-1002
Cisco Cloud Architecture with Microsoft Cloud Platform Peter Lackey Technical Solutions Architect PSOSPG-1002 Agenda Joint Cisco and Microsoft Integration Efforts Introduction to CCA-MCP What is a Pattern?
More informationCloudCenter for Developers
DEVNET-1198 CloudCenter for Developers Conor Murphy, Systems Engineer Data Centre Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the
More informationAlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment
BRKPAR-2488 AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment Edy Almer How to Secure and Automate Your Heterogeneous Cisco Environment Yogesh Kaushik, Senior Director Cisco Doug
More informationCisco Tetration Analytics + Demo. Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH
Cisco Tetration Analytics + Demo Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH Agenda Introduction Theory Demonstration Innovation Through Engineering
More informationIntroducing Cisco Network Assurance Engine
BRKACI-2403 Introducing Cisco Network Assurance Engine Intent Based Networking for Data Centers Sundar Iyer, Distinguished Engineer Head Cisco Network Assurance Engine Team Dhruv Jain, Director of Product
More informationCisco Container Platform
Cisco Container Platform Pradnesh Patil Suhail Syed Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click
More informationEvolution of Data Center Security Automated Security for Today s Dynamic Data Centers
Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers Speaker: Mun Hossain Director of Product Management - Security Business Group Cisco Twitter: @CiscoDCSecurity 2 Any
More informationCisco SD-Access Hands-on Lab
LTRCRS-2810 Cisco SD-Access Hands-on Lab Larissa Overbey - Technical Marketing Engineer, Cisco Derek Huckaby - Technical Marketing Engineer, Cisco https://cisco.box.com/v/ltrcrs-2810-bcn2018 Password:
More informationNetwork Visibility and Segmentation
Network Visibility and Segmentation 2019 Cisco and/ or its affiliates. All rights reserved. Contents Network Segmentation A Services Approach 3 The Process of Segmentation 3 Segmentation Solution Components
More informationCustomer s journey into the private cloud with Cisco Enterprise Cloud Suite
Customer s journey into the private cloud with Cisco Enterprise Cloud Suite Peter Charpentier, Senior Solution Architect, Cisco AS Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker
More information2018 Cisco and/or its affiliates. All rights reserved.
Beyond Data Center A Journey to self-driving Data Center with Analytics, Intelligent and Assurance Mohamad Imaduddin Systems Engineer Cisco Oct 2018 App is the new Business Developer is the new Customer
More informationCloud-Ready WAN For IAAS & SaaS With Cisco s Next- Gen SD-WAN
BRKCRS-2113 Cloud-Ready WAN For IAAS & SaaS With Cisco s Next- Gen SD-WAN Sumanth Kakaraparthi Product Leader SD-WAN Manan Shah Director Of Product Management Cisco Spark How Questions? Use Cisco Spark
More informationCisco Tetration Analytics
Cisco Tetration Analytics Enhanced security and operations with real time analytics John Joo Tetration Business Unit Cisco Systems Security Challenges in Modern Data Centers Securing applications has become
More informationSegmentation. Threat Defense. Visibility
Segmentation Threat Defense Visibility Establish boundaries: network, compute, virtual Enforce policy by functions, devices, organizations, compliance Control and prevent unauthorized access to networks,
More informationTitle DC Automation: It s a MARVEL!
Title DC Automation: It s a MARVEL! Name Nikos D. Anagnostatos Position Network Consultant, Network Solutions Division Classification ISO 27001: Public Data Center Evolution 2 Space Hellas - All Rights
More informationDeploying Cloud-Agnostic Applications with Cisco CloudCenter
LTRCLD-2303 Deploying Cloud-Agnostic Applications with Cisco CloudCenter Zack Kielich CloudCenter Product Manager Vince Motto Sr. Technical Leader Andrew Horrigan Consulting Engineer Matt Tarkington Consulting
More informationBuilding NFV Solutions with OpenStack and Cisco ACI
Building NFV Solutions with OpenStack and Cisco ACI Domenico Dastoli @domdastoli INSBU Technical Marketing Engineer Iftikhar Rathore - INSBU Technical Marketing Engineer Agenda Brief Introduction to Cisco
More informationDisclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme
SAI2803BU The Road to Micro- Segmentation with VMware NSX #VMworld #SAI2803BU Disclaimer This presentation may contain product features that are currently under development. This overview of new technology
More informationService Graph Design with Cisco Application Centric Infrastructure
White Paper Service Graph Design with Cisco Application Centric Infrastructure 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 101 Contents Introduction...
More informationTrustSec (NaaS / NaaE)
TrustSec (NaaS / NaaE) per@cisco.com Security on top of the mind for our customers 60% 85% 54% of data is stolen in HOURS of point-of-sale intrusions aren t discovered for WEEKS of breaches remain undiscovered
More informationSD-Access Wireless: why would you care?
SD-Access Wireless: why would you care? CUWN Architecture - Centralized Overview Policy Definition Enforcement Point for Wi-Fi clients Client keeps same IP address while roaming WLC Single point of Ingress
More informationSDN Security BRKSEC Alok Mittal Security Business Group, Cisco
SDN Security Alok Mittal Security Business Group, Cisco Security at the Speed of the Network Automating and Accelerating Security Through SDN Countering threats is complex and difficult. Software Defined
More informationCisco SD-WAN (Viptela) Migration, QoS and Advanced Policies Hands-on Lab
Cisco SD-WAN (Viptela) Migration, QoS and Advanced Policies Hands-on Lab Ali Shaikh Technical Leader Faraz Shamim Sr. Technical Leader Mossaddaq Turabi Distinguished ENgineer Cisco Spark How Questions?
More informationANIKET DAPTARI & RANJINI RAJENDRAN CONTRAIL TEAM
ROLE OF NETWORK VIRTUALIZATION AND SOFTWARE DEFINED SECURITY IN MULTICLOUD ANIKET DAPTARI & RANJINI RAJENDRAN CONTRAIL TEAM This statement of direction sets forth Juniper Networks current intention and
More informationRouting Underlay and NFV Automation with DNA Center
BRKRST-1888 Routing Underlay and NFV Automation with DNA Center Prakash Rajamani, Director, Product Management Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session
More informationThe Why, What, and How of Cisco Tetration
The Why, What, and How of Cisco Tetration Why Cisco Tetration? With the above trends as a backdrop, Cisco has seen specific changes within the multicloud data center. Infrastructure is changing. It is
More informationHybrid Cloud Solutions
Hybrid Cloud Solutions with Cisco and Microsoft Innovation Rob Tappenden, Technical Solution Architect rtappend@cisco.com March 2016 Today s industry and business challenges Industry Evolution & Data Centres
More informationCloud Mobility: Meraki Wireless & EMM
BRKEWN-2002 Cloud Mobility: Meraki Wireless & EMM Emily Sporl Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile
More informationCisco TrustSec Software-Defined Segmentation Platform and Capability Matrix Release 6.3
TrustSec Software-Defined Segmentation Platform and Capability Matrix Release 6.3 TrustSec uniquely builds upon your existing identity-aware infrastructure by enforcing segmentation and access control
More informationDNA Automation Services Offerings
DNA Automation Services Offerings Jamie Owen, Solutions Architect, Cisco Advanced Services Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session
More informationDevNet Technical Breakout: Introduction to ACI Programming and APIs.
DevNet Technical Breakout: Introduction to ACI Programming and APIs. Michael Cohen Agenda Introduction to ACI ACI Policy ACI APIs REST API Python API L4-7 Scripting Opflex 3 Application Centric Infrastructure
More informationCisco Application Centric Infrastructure
Data Sheet Cisco Application Centric Infrastructure What s Inside At a glance: Cisco ACI solution Main benefits Cisco ACI building blocks Main features Fabric Management and Automation Network Security
More informationUse Case: Three-Tier Application with Transit Topology
Use Case: Three-Tier Application with Transit Topology About Deploying a Three-Tier Application with Transit Topology, on page 1 Deploying a Three-Tier Application, on page 3 Transit Routing with OSPF
More informationService Insertion with ACI using F5 iworkflow
Service Insertion with ACI using F5 iworkflow Gert Wolfis F5 EMEA Cloud SE October 2016 Agenda F5 and Cisco ACI Joint Solution Cisco ACI L4 L7 Service Insertion Overview F5 and Cisco ACI Integration Models
More informationCisco ACI vpod. One intent: Any workload, Any location, Any cloud. Introduction
Cisco ACI vpod One intent: Any workload, Any location, Any cloud Organizations are increasingly adopting hybrid data center models to meet their infrastructure demands, to get flexibility and to optimize
More informationContiv installation and integration with ACI
Contiv installation and integration with ACI http://contiv.ciscolive.com Haroun Dass Customer Solutions Architect hdass@cisco.com Luis Flores System Engineer luflores@cisco.com @Luis_E_Flores Cesar Obediente
More informationData Center Security. Fuat KILIÇ Consulting Systems
Data Center Security Fuat KILIÇ Consulting Systems Engineer @Security Data Center Evolution WHERE ARE YOU NOW? WHERE DO YOU WANT TO BE? Traditional Data Center Virtualized Data Center (VDC) Virtualized
More informationNext generation branch with SD-WAN and NFV
Next generation branch with SD-WAN and NFV Kiran Ghodgaonkar, Senior Manager, Enterprise Marketing Mani Ganeson, Senior Product Manager PSOCRS-2004 @ghodgaonkar Cisco Spark How Questions? Use Cisco Spark
More informationServiceability of SD-WAN
BRKCRS-2112 Serviceability of SD-WAN Chandrabalaji Rajaram & Ali Shaikh Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live
More informationCisco Application Centric Infrastructure and Microsoft SCVMM and Azure Pack
White Paper Cisco Application Centric Infrastructure and Microsoft SCVMM and Azure Pack Introduction Cisco Application Centric Infrastructure (ACI) is a next-generation data center fabric infrastructure
More informationACI Terminology. This chapter contains the following sections: ACI Terminology, on page 1. Cisco ACI Term. (Approximation)
This chapter contains the following sections:, on page 1 Alias API Inspector App Center Alias A changeable name for a given object. While the name of an object, once created, cannot be changed, the Alias
More informationMigration from Classic DC Network to Application Centric Infrastructure
Migration from Classic DC Network to Application Centric Infrastructure Kannan Ponnuswamy, Solution Architect, Cisco Advanced Services Acronyms IOS vpc VDC AAA VRF STP ISE FTP ToR UCS FEX OTV QoS BGP PIM
More informationNetBrain Technologies: Achieving Agile Network Operations: How Automation Can Improve Visibility Across Hybrid Infrastructures
BRKPAR - 2509 NetBrain Technologies: Achieving Agile Network Operations: How Automation Can Improve Visibility Across Hybrid Infrastructures Jason Baudreau Achieving Agile Network Operations How Automation
More informationContiv installation and integration with ACI. LTRCLD-2003
Contiv installation and integration with ACI LTRCLD-2003 http://contiv.ciscolive.com Cesar Obediente CCIE#5620 Principal Systems Engineer Gaurav Dalvi Software Engineer Future of IT is Changing People/Process
More informationACI Multi-Site Architecture and Deployment. Max Ardica Principal Engineer - INSBU
ACI Multi-Site Architecture and Deployment Max Ardica Principal Engineer - INSBU Agenda ACI Network and Policy Domain Evolution ACI Multi-Site Deep Dive Overview and Use Cases Introducing ACI Multi-Site
More informationCisco TrustSec Software-Defined Segmentation Release 6.1 System Bulletin
System Bulletin TrustSec Software-Defined Segmentation Release 6.1 System Bulletin Introduction Network segmentation is essential for protecting critical business assets. TrustSec Software Defined Segmentation
More informationDevOps CICD for VNF a NetOps Approach
DevOps CICD for VNF a NetOps Approach Renato Fichmann Senior Solutions Architect Cisco Advanced Services Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1.
More informationMulti-Cloud and Application Centric Modeling, Deployment and Management with Cisco CloudCenter (CliQr)
Multi-Cloud and Application Centric Modeling, Deployment and Management with Cisco CloudCenter (CliQr) Jeremy Oakey - Sr. Director, Technical Marketing & Integrations BRKCLD-2008 Agenda Introduction Architecture
More information2012 Cisco and/or its affiliates. All rights reserved. 1
2012 Cisco and/or its affiliates. All rights reserved. 1 Policy Access Control: Challenges and Architecture UA with Cisco ISE Onboarding demo (BYOD) Cisco Access Devices and Identity Security Group Access
More informationAPIC-EM / EasyQoS - End to End Orchestration of QoS in Enterprise Networks
APIC-EM / EasyQoS - End to End Orchestration of QoS in Enterprise Networks Saurav Prasad Technical Marketing Engineer CTHNMS-1002 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after
More informationMulti-Cloud and Application Centric Modeling, Deployment and Management with Cisco CloudCenter (CliQr)
Multi-Cloud and Application Centric Modeling, Deployment and Management with Cisco CloudCenter (CliQr) Jeremy Oakey Senior Director, Technical Marketing and Integrations Agenda Introduction Architecture
More informationCisco SD-WAN and DNA-C
Cisco SD-WAN and DNA-C SD-WAN Cisco SD-WAN Intent-based networking for the branch and WAN 4x Improved application experience Better user experience Deploy applications in minutes on any platform with consistent
More informationIntroduction to Cisco SD- WAN (Viptela)
LTRCRS-2005 Introduction to Cisco SD- WAN (Viptela) Brad Edgeworth, Systems Engineer, CCIE#31574 Dustin Schuemann, Solutions Architect Madhavan Aruanchalam, Technical Marketing Engineer Cisco Spark How
More informationMP-BGP VxLAN, ACI & Demo. Brian Kvisgaard System Engineer, CCIE SP #41039 November 2017
MP-BGP VxLAN, ACI & Demo Brian Kvisgaard System Engineer, CCIE SP #41039 November 2017 Datacenter solutions Programmable Fabric Classic Ethernet VxLAN-BGP EVPN standard-based Cisco DCNM Automation Modern
More informationCisco Group Based Policy Platform and Capability Matrix Release 6.4
Group d Policy Platform and Capability Matrix Release 6.4 (inclusive of TrustSec Software-Defined Segmentation) Group d Policy (also known as TrustSec Software-Defined Segmentation) uniquely builds upon
More informationCisco SDN 解决方案 ACI 的基本概念
Cisco SDN 解决方案 ACI 的基本概念 Presented by: Shangxin Du(@shdu)-Solution Support Engineer, Cisco TAC Aug 26 th, 2015 2013 Cisco and/or its affiliates. All rights reserved. 1 Type Consumption Delivery Big data,
More informationCisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer
Cisco Next Generation Firewall and IPS Dragan Novakovic Security Consulting Systems Engineer Cisco ASA with Firepower services Cisco TALOS - Collective Security Intelligence Enabled Clustering & High Availability
More informationCisco ACI Terminology ACI Terminology 2
inology ACI Terminology 2 Revised: May 24, 2018, ACI Terminology Cisco ACI Term Alias API Inspector App Center Application Policy Infrastructure Controller (APIC) Application Profile Atomic Counters Alias
More informationCisco TrustSec Software-Defined Segmentation Release 6.1 System Bulletin
System Bulletin TrustSec Software-Defined Segmentation Release 6.1 System Bulletin Introduction Network segmentation is essential for protecting critical business assets. TrustSec Software Defined Segmentation
More informationSecurity for shared infrastructure in Cisco ONE Enterprise Cloud Suite BRKPCA-2040
Security for shared infrastructure in Cisco ONE Enterprise Cloud Suite Roxana Diaz TSA, CCIE BRKPCA-2040 @roxadiaz2 Agenda Introduction Cisco VACS Overview VACS Configuration Security Use-cases Customers
More informationIdentity Based Network Access
Identity Based Network Access Identity Based Network Access - Agenda What are my issues Cisco ISE Power training What have I achieved What do I want to do What are the issues? Guest Student Staff Contractor
More informationVeč kot SDN - SDA arhitektura v uporabniških omrežjih
Več kot SDN - SDA arhitektura v uporabniških omrežjih Aleksander Kocelj SE Cisco Agenda - Introduction to Software Defined Access - Brief description on SDA - Cisco SDA Assurance - DEMO 2 New Requirements
More informationReal World ACI Deployment and Migration
Real World ACI Deployment and Migration #clmel Kannan Ponnuswamy Solution Architect Cisco Advanced Services Icons and Terms APIC Application Policy Infrastructure Controller (APIC) Cisco Nexus 9500 Cisco
More informationMAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER
MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER Bret Hartman Cisco / Security & Government Group Session ID: SPO1-W25 Session Classification: General Interest 1 Mobility Cloud Threat Customer centric
More informationSelf-driving Datacenter: Analytics
Self-driving Datacenter: Analytics George Boulescu Consulting Systems Engineer 19/10/2016 Alvin Toffler is a former associate editor of Fortune magazine, known for his works discussing the digital revolution,
More informationCisco Tetration Analytics
Cisco Tetration Analytics Real-time application visibility and policy management using advanced analytics Yogesh Kaushik, Sr. Director Product Management PSOACI-2100 Agenda Market context Introduction:
More informationCisco HyperFlex Systems
White Paper Cisco HyperFlex Systems Install and Manage Cisco HyperFlex Systems in a Cisco ACI Environment Original Update: January 2017 Updated: March 2018 Note: This document contains material and data
More informationCisco Tetration Analytics
Cisco Tetration Analytics Enhanced security and operations with real time analytics Christopher Say (CCIE RS SP) Consulting System Engineer csaychoh@cisco.com Challenges in operating a hybrid data center
More informationPolicy Driven Data Centre with ACI
Policy Driven Data Centre with ACI Chris Gascoigne Technical Solutions Architect #clmel Agenda Introduction What is policy Network policy Application policy Conclusion Introduction Traditional Data Centre
More informationNXOS in the Real World Using NX-API REST
NXOS in the Real World Using NX-API REST Adrian Iliesiu Corporate Development Engineer Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session
More informationReal World ACI Deployment and Migration Kannan Ponnuswamy, Solutions Architect BRKACI-2601
Real World ACI Deployment and Migration Kannan Ponnuswamy, Solutions Architect BRKACI-2601 Icons and Terms APIC Application Policy Infrastructure Controller (APIC) Cisco Nexus 9500 Cisco Nexus 9300 Nexus
More informationData Center and Cloud Automation
Data Center and Cloud Automation Tanja Hess Systems Engineer September, 2014 AGENDA Challenges and Opportunities Manual vs. Automated IT Operations What problem are we trying to solve and how do we solve
More informationIpswitch: The New way of Network Monitoring and how to provide managed services to its customers
BRKPAR-2333 Ipswitch: The New way of Network Monitoring and how to provide managed services to its customers Paolo Ferrari, Senior Director Sales Southern Europe, Ipswitch, Inc. WhatsUp Gold Jan 2018 Agenda
More informationDisclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme
MMC1532BE Using VMware NSX Cloud for Enhanced Networking and Security for AWS Native Workloads Percy Wadia Amol Tipnis VMworld 2017 Content: Not for publication #VMworld #MMC1532BE Disclaimer This presentation
More informationCisco Application Policy Infrastructure Controller Data Center Policy Model
White Paper Cisco Application Policy Infrastructure Controller Data Center Policy Model This paper examines the Cisco Application Centric Infrastructure (ACI) approach to modeling business applications
More informationCisco SD-WAN. Intent-based networking for the branch and WAN. Carlos Infante PSS EN Spain March 2018
Cisco SD-WAN Intent-based networking for the branch and WAN Carlos Infante PSS EN Spain March 2018 Aug-12 Oct-12 Dec-12 Feb-13 Apr-13 Jun-13 Aug-13 Oct-13 Dec-13 Feb-14 Apr-14 Jun-14 Aug-14 Oct-14 Dec-14
More informationCisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003
Cisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003 Agenda ACI Introduction and Multi-Fabric Use Cases ACI Multi-Fabric Design Options ACI Stretched Fabric Overview
More informationCisco SD-Access Building the Routed Underlay
Cisco SD-Access Building the Routed Underlay Rahul Kachalia Sr. Technical Leader Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the
More informationCisco Campus Fabric Introduction. Vedran Hafner Systems engineer Cisco
Cisco Campus Fabric Introduction Vedran Hafner Systems engineer Cisco Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility (w/o stretching VLANs) Network
More informationNetwork as an Enforcer (NaaE) Cisco Services. Network as an Enforcer Cisco and/or its affiliates. All rights reserved.
Network as an Enforcer (NaaE) Cisco Services INTRODUCTION... 6 Overview of Network as an Enforcer... 6 Key Benefits... 6 Audience... 6 Scope... 6... 8 Guidelines and Limitations... 8 Configuring SGACL
More informationStop Threats Before They Stop You
Stop Threats Before They Stop You Gain visibility and control as you speed time to containment of infected endpoints Andrew Peters, Sr. Manager, Security Technology Group Agenda Situation System Parts
More informationNetDevOps Style Configuration Management for the Network
DEVNET-3616 NetDevOps Style Configuration Management for the Network Hank Preston, NetDevOps Evangelist ccie 38336, R/S @hfpreston Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker
More informationCisco Software-Defined Access
Cisco Software-Defined Access Introducing an entirely new era in networking. What if you could give time back to IT? Provide network access in minutes for any user or device to any application-without
More informationRunning RHV integrated with Cisco ACI. JuanLage Principal Engineer - Cisco May 2018
Running RHV integrated with Cisco ACI JuanLage Principal Engineer - Cisco May 2018 Agenda Why we need SDN on the Data Center What problem are we solving? Introduction to Cisco Application Centric Infrastructure
More informationConfigure. Background. Register the FTD Appliance
Background, page 1 Register the FTD Appliance, page 1 Create a Service Graph, page 9 Apply a Service Graph Template, page 10 Supported Functions, page 13 FTD Deployments, page 18 Background The ACI fabric
More informationSolution Overview Cisco Tetration Analytics and AlgoSec: Business Application Connectivity Visibility, Policy Enforcement, and Business-Based Risk and
Solution Overview Cisco Tetration Analytics and AlgoSec: Business Application Connectivity Visibility, Policy Enforcement, and Business-Based Risk and Compliance Management Through the integration of AlgoSec
More informationCisco ACI App Center. One Platform, Many Applications. Overview
White Paper Cisco ACI App Center One Platform, Many Applications Overview Cisco Application Centric Infrastructure (Cisco ACI ) is a comprehensive software-defined networking (SDN) solution designed from
More informationDigital Network Architecture for Securing Enterprise Networks
Digital Network Architecture for Securing Enterprise Networks Matt Robertson Evgeny Mirolyubov Technical Marketing Engineers, Advanced Threat Solutions Cisco Spark How Questions? Use Cisco Spark to communicate
More informationGet Hands On With DNA Center APIs for Managing Intent
DEVNET-3620 Get Hands On With DNA Center APIs for Managing Intent Adam Radford Distinguished Systems Engineer Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session
More informationLTRDCT-2781 Building and operating VXLAN BGP EVPN Fabrics with Data Center Network Manager
LTRDCT-2781 Building and operating VXLAN BGP EVPN Fabrics with Data Center Network Manager Henrique Molina, Technical Marketing Engineer Matthias Wessendorf, Technical Marketing Engineer Cisco Spark How
More informationIntegration of Hypervisors and L4-7 Services into an ACI Fabric. Azeem Suleman, Principal Engineer, Insieme Business Unit
Integration of Hypervisors and L4-7 Services into an ACI Fabric Azeem Suleman, Principal Engineer, Insieme Business Unit Agenda Introduction to ACI Review of ACI Policy Model Hypervisor Integration Layer
More information