4. ACI Service Graphs Keep it Simple
ACI Web Contract
Consumer Provider
Managed/Unmanaged
Devices
Client EPG Web EPG
S
ACI Allows for Easier Services Insertion
5. L4-L7 Service Automation: Support for All Devices
Any Device and Cluster Manager Support
L4-L7 Service Automation L4-L7 Services
Cisco ACI™
Services Graph
L4- L7 Device Package No Device Package Service Cluster Manager
• Centralized L4-L7 service configuration and management
• Full L4-L7 service automation (with device package)
• Large ecosystem and investment protection
• Security policy follows workload
• Centralized security provisioning and visibility
• Automated service insertion and chaining
• Support for any L4-L7 device
• New support for L4-L7 cluster managers
Embedded
Security
Micro-
Segmentation
Security
Automation
Encryption Analytics
6. Same Policy Model across physical and any
virtualization or cloud technology
VM
1
VM
2
VM
1
VM
1
VM
2
KVM OpFlex
Agent
V(X)LAN
Open
vSwitch
ESXi Cisco
AVS
V(X)LAN
VMware
DVS
Hyper-V MSFT vSwitch
V(X)LAN
Docker OpFlex
Agent
V(X)LAN
Open
vSwitch
VM
1
VM
1
VM
2
VM
1
Docker1 Docker2
Docker1 Docker2
OpFlex OpFlex OpFlex OpFlex
Bare Metal
VLAN
7. Can we use Micro Segmentation within ACI to effectively
isolate application traffic?
Using Micro Segmentation
10. vDS Cisco AVS IP/MAC EPG Hyper-V vSwitch Open vSwitch Open vSwitch
VLAN
VLAN or
VXLAN
VLAN or
VXLAN VLANVLANVLAN
Micro-Segmentation with ACI
EPG-Web
Micro-Segmentation Across any Workload
Attributes Type
MAC Address Filter Network
IP Address Filter Network
VNic Dn (vNIC domain name) VM
VM Identifier VM
VM Name VM
Hypervisor Identifier VM
VMM Domain VM
Datacenter VM
Custom Attribute
(VMWare AVS/vDS only)
VM
Operating System VM
opflex opflex opflex
11. vDS Cisco AVS IP/MAC EPG Hyper-V vSwitch Open vSwitch Open vSwitch
VLAN
VLAN or
VXLAN
VLAN or
VXLAN VLANVLANVLAN
MAC-EPG Support in ACI
MAC-EPG-Web
Micro-Segmentation Across any Workload
Attributes Type
MAC Address Filter Network
IP Address Filter Network
VNic Dn (vNIC domain name) VM
VM Identifier VM
VM Name VM
Hypervisor Identifier VM
VMM Domain VM
Datacenter VM
Custom Attribute
(VMWare AVS/vDS only)
VM
Operating System VM
12. • MAC-EPG is a micro-segmented EPG with endpoint membership based on
MAC address attribute list which is derived from endpoints of a Base EPG
• Scoped at BD level
• MAC-EPGs can have large mac-lists
• Usecases: Migrations, Security Feedback Loop, etc …
MAC-EPG (Micro-Segmentation)
BD1/subnet1
Base EPG
MAC-EPG-1 MAC-EPG-N
Contract
Within BD traffic is Bridged
BD2/subnet2
Base EPG
MAC-EPG-1
Inter BD traffic is Routed
Contract
14. User Segmentation and VDI
Campus
PC
PC
PC
Datacenter
SalesIT
HR
VDI
EPG
Server
EPG
NGFW /
NGIPS
NGFW /
NGIPSSolution provides:
Next-Generation Security (NGFW, NGIPS, AMP) with
Identity controls.
VDI Farm is one big flat subnet, with lateral blocking. Need
to provide secure access to Servers.
16. Consuming Micro-Segmentation
User-Identity Micro-Segmentation with ACI
Src-EPG Dest-EPG
Contract
Src-EPG Dest-EPG
Contract
AD based
User
Identify
Policy
Concept
Solution Intra-EPG
Isolation
ACI Service Graph w/ Firepower
Enforce User-Identity Based
Network Access Control Policy
Red User can only Access Red VMs
Green User can only Access Green VMs
ACI Policy
Model
Extension
Shipping
17. Secure VDI Usecase:
User-Identity Micro-Segmentation with FirePower + ACI
Campus Network
providerconsumer
Firepower 4100 / 9300
FTD Image
vPC
Contract L3out
service-graph with
FirePower
FMC Active
Directory
SF User
Agent
VDI
EPG
L3out
Users Initiate
VDI session
VDI Farm - one big flat subnet but
VMs isolated, blocking lateral
User-Identity
Network Access Control
Policy
Server
EPG
Users (AD Group:
VDI Session)
Destination
Network (Server
EPG)
Group A
1.0.0.1 <= VDI IP
1.0.0.2
Destination Subnet
10.0.0.0/30
Group B
3.0.0.1
Destination
20.0.0.1
SourceFire Policy
Shipping
19. User Segmentation
Campus
Control of which systems or
applications within a datacenter
a user or group can connect to.
PC
PC
PC
8 SGT / Sales
3 SGT/ HR
99 SGT / IT
Trustsec / Security Group Tags
VLAN Assignment
Passive Identity from Active Directory
Datacenter
20. Problem: Disjointed Identity & Security Policy Domains
Between Campus and Data Center
TrustSec domain
Voice Employee Supplier BYOD
Campus / Branch / Non-Fabric
TrustSec Policy Domain
Voic
e
VLA
N
Data
VLAN
Web App DB
ACI Fabric
Data Center
APIC Policy Domain
APIC
WAN
Disjoint: Identity, Grouping
Policy Domains
TrustSec Policy Domain APIC Policy Domain
• Today customer has two disjointed identity and security policy domains in Campus and Data Center:
• TrustSec User Identity, SGT and SGACL in Campus
• APIC App Endpoint Identity, EPG and Contract in Data Center
• Customer Requirement:
• Need Common “Identity,” Tagging and “Security Policy” between TrustSec and ACI domains
23. TrustSec/ISE Policy Domain
CMD/SGT
ACI Policy Domain
TrustSec
Border Router
(ASR1K Initially)
ACI to Campus Flow
SXP
SGT <-> EPG
translation
WA
N
IPSec, DMVPN,
GETVPN, OTP
SGT-EPG
iVXLAN
VzAny Contract
Permit-all or filter ports
APP-EPG
Golf L3out
Target
Q2-CY17
Per-Host Policy
in ASR1k
24. TrustSec
Domain
Phase 1
Identity and Policy Propagation between
ISE and APIC
No SGT tags sent to ACI
Enforcement at N9300 border leaf
Leverage IP address as User identifier
Scale: ~10k/Leaf
Works with existing ACI infra: N9300
leafs and N9500 Spines
Target Timeframe: Shipping now
Solution: Normalize Identity and SGT/EPG
Phase 2
Policy Mapping between ISE and APIC AND Data
plane Integration (ASR1K or ACI Spine)
ASR1K DCI translates SGT EPG-Class-ID
Enforcement at N9300 leaf
Scale: SGT/ EPG namespace
Works with existing N9300 leafs, requires upgrade
of N9500 spines (line card/ fabric module available
mid CY16)
Target Timeframe: Q2 CY17
TrustSec
Domain
ACI
Domain
SGT EPG
SGT EPG
ACI
Domain
iVXLANSGT
ASR1k
Shipping Q2-CY17
26. Firepower, in all its forms, supports:
Correlation Polices and Remediation Modules,
allowing us to take a customized action based on defined
behavior on the network.
Example:
If a server is attacked by host in my PCI network, I want to block the attacker.
Security Feedback Loop
27. Consuming Micro-Segmentation
ACI and SourceFire – Security Closed Feedback Loop
CORP
EPG
FW
NGIPS
10.1.0.234
Attack
Web
EPG
REM
EPG
QUA
EPG
FW
FireSIGHT
Management
Center
REST Calls to
APIC NB API
Move VM
To Quarantine
Quarantine for RemediationPost Remediation Move Cleaned VM
Status:
1. Cisco on Cisco solution (ACI + Security BU)
2. Remediation module in FMC used for security
feedback loop (no, device package required)
3. Productization for VMware vDS, AVS and BM
is shipping
• Quarantine IP-EPG creation
• Quarantine bad endpoints using IP-
EPG only
4. Tested 150 IP-EPG creation and TBD
endpoints
5. NGIPS stitching has no dependencies on
Remediation module. NGIPS Stitching can we
with device package or not. Both options
supported.
Demo Video: https://youtu.be/zSfDT1-47Hg