Aci l4 l7 Integration Brkaci-2506

BRKACI-2506
How to easily integrate

Security & L4-L7 Services
into ACI
Carlos Campos Torres
Data Center Technical Solutions Architect
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKACI-2506
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What to expect from this session
• This is NOT another Power-Point only session
• We will focus on the most-common scenarios that you need to know to implement Security and/or
L4-L7 services on ACI
• This session is based on lessons learned from production-grade ACI network implementations
• Focus on Simplicity with a Network/Security Approach!

• Networks have never been simple but we live today in a consumption-based market, we need fast
and easy!
• Cisco ACI allows us to have hundreds of physical switches and virtual ones managed as a single
stack
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
ACI Basics review
L4-L7 integration modes overview and basics
Scenario 1: Network-Policy vs Service-
Policy mode (ASAv/Firewall)
Other possible scenarios
Scenario 2: Inserting SLB (F5 Big IP)
Scenario 3: Service-chaining (FTDv + Citrix)
ACI Security
Scenario 4: Micro-segmentation
Scenario 5: RTC & Service-Manager mode
ACI and Tetration Analytics
Scenario 6: ACI Automated zero-trust network-
configuration for existing environments
ACI and Cloud Center
Scenario 7: ACI Automated zero-trust for IaaS
Agenda
ACI Basics review
ACI Security
ACI and Cloud
The Perfect Storm
App is the new business
Developer is the new Customer
Multicloud is the new Data Center
Cisco Intent-Based Data Center
Operational transformation for an analytics-driven secure multi-cloud world
Cost Compliance Analytics

Learn & Adjust/Model & Orchestrate Network Assurance/Analysis Segmentation/Infra Application/Business
Network
CWOM Tetration AppDynamics Multi-Cloud IT / Business
Assurance Engine
Insights
Cisco security
Cisco
portfolio
Model Once Multi-Cloud

CloudCenter Deploy Anywhere
Service Modeling
Hybrid-Cloud
Google Cloud Infrastructure Integration
Anywhere Platform
Software-Defined
ACI Networking HyperFlex Storage UCS Compute
Infrastructure
Simpler has always proofed to be successful
Cisco has done this in the past, but it is time to disrupt the market again
9 2 48
Fixed Catalyst 3750 Modular Catalyst Nexus 5K/2KFEX
StackWise 4500/6500 VSS (no local switching)
Nexus 5000 Parent Switch
Nexus 2000 Fabric Extenders
VIDEO
The DC network before The DC network NOW
Classic modular switching ACI
Linecards (4,8,16)
Supervisors
(1, 3 or more)
Fabric Cards
(1 to 6)
SPINE
Supervisors
(1 or 2) L2 VXLAN
No STP
LEAVES Linecards
(From 1 to 400)
Managed as a single chassis

Single chassis
VIDEO
Cisco ACI: SDN anywhere
Bringing the best of a Hardware + Software solution
#1 4,500+ 65+ 15,000+
SDN Solution ACI Ecosystem Nexus 9K

in the market Customers Partners Customers Globally
11 79% 100100 3 sec 406

Months Payback Less time to From 100M to Recovery time Physical switches
Period provision 100Gbps on the after rollback managed as one
networks same fabric Cloud Integration*
*: Q1CY18
Demo
ACI Operational Benefits Review

High-Availability and Central Console
(APIC)
Optimize
Now, with Your
Cisco ACI, you Network
can build a
better ACI
Accelerate Anywhere
network… Multicloud
ANYWHERE.
Protect
Your
Business
Multi-Site
ACI Anywhere
Any Workload, Any Location, Any Cloud
Site A
Site C (Remote Leaf)
Public Cloud*
Site B
Security Everywhere
*Q4 FY18
Analytics Everywhere VM VM VM
Policy Everywhere
Sw(config)#vlan 10
Sw(config)#name NETWEAVER
Sw(config)#vlan 20
Our basic setup for today Sw(config)#name HANA
We are not configuring anything we don’t know as network/security admins!
Tenant (CISCO_LIVE)
Application Network Profile (ANP) = Applications (SAP)
End-Point Groups (EPGs) = Roles in the app (NETWEAVER, HANA)
By default
EPG=VLAN
Communication inside an EPG is allowed by default
Communication between EPGs is not allowed by default unless a contract exists
A contract is equal to an ACL
Routing may be done by the fabric (Anycast Gateway defined in Bridge
Domains and associated to EPGs) or externally
Demo
ACI Basic Setup build-up
Agenda
ACI Basics review
ACI Security
ACI L4-L7 Service Automation
Different approaches – Support for All Devices
L4-7 Service Automation L4-7 Services
ACI Services Graph
Network Policy Mode Service Policy Mode Service Manager Mode
No Device Service Cluster L4- L7 Device L4- L7 Device Service Cluster

Package Manager Package Package Manager
Full L4-L7 Centralized Full L4-L7 Automation with

Centralized Network Automation Service Automation
(With NO Device Package) Operational Flexibility
(With Device Package) (With Device Package)
Easy (redirect only) Integrated (redirect and configure) Integrated (redirect and configure)
Network-admin and Services/Security-admin are Single point of provisioning for network AND Joint L4-L7 management between APIC and
different people services Service Device Controller(e.g. FMC, Netscaler MAS,
Full L4-L7 service functionality (native tools) L4-L7 Functionality depends on the fixed device etc)
Also known as “Unmanaged” package Full L4-L7 functionality with APIC integration
L4-L7 Services Insertion options and ACI basic terminology
Leaf 101
Two-Arm Outside (Insecure)
• Mostly used by Firewalls

• Used by any L4-L7 device
Leaf 102
Inside
One-Arm (Secure)
• May be used by SLBs
Leaf 101
IN & OUT
Routed Mode 2-arm (Go-To)
FW/SLB/IPS will
Outside Inside do routing
between EPGs
EPG
Netweaver
Service
1.1.1.1Graph 2.2.2.1 EPG
HANA
1.1.1.2/24 (On-top of a Contract) 2.2.2.3/24
Tenant CISCO_LIVE
Transparent Mode 2-arm (Go-Through)

FW/SLB/IPS will
Outside Inside
bridge between
VLAN 10 VLAN 20
EPG Service Graph EPG EPGs
Netweaver HANA
1.1.1.2/24 (On-top of a Contract) 1.1.1.3/24
Tenant CISCO_LIVE
• Logical Device
• Represents a cluster of 2 devices that operate in active/standby mode for instance.
• Configure logical interfaces (defined in the device model) to be used for device selection
policy
• Defines Cluster wide parameters where applicable, such as NTP, DNS, etc.
• Concrete Device
• Represents a service device, e.g. one load balancer, or one firewall. Can be physical or
virtual
Logical Device
Service Graph Function Node
SLB
Concrete Device Concrete Device
Scenario 1-A
Network-Policy Mode (Unmanaged)
ACI + ASAv integration
Scenario 1-A Objective
Network-Policy Mode (unmanaged): ASAv
Rule: permit ip traffic
OUTSIDE INSIDE
BD Netweaver BD HANA
ACI Leaf - Spine ACI Spine - Leaf
DEMO-NETWEAVER DEMO-HANA
1.1.1.2 2.2.2.3
Network-admin Security-admin
• Configures network (Tenants, Configures firewall mode &

•
ANPs, BDs EPGs) security-policies
EPG NETWEAVER • Inter-EPG communication • Policies will be consistent (due EPG HANA
redirects to firewall (through to contract) even after VM
contract) and specifies inside Mobility
and outside interfaces • Uses native Firewall tools (CLI
• Uses APIC and ASDM in this case)
Scenario 1-A Objective Go-To
Network-Policy Mode (unmanaged): ASAv with VMWare Mode
Network Adapter 2 Network Adapter 3

OUTSIDE INSIDE
2.2.2.1
1.1.1.1
GigabitEthernet0/0 GigabitEthernet0/1
1.1.1.2 2.2.2.3
Network-admin Security-admin
• Configures network (Tenants, Configures firewall mode &

•
ANPs, BDs EPGs) security-policies
EPG NETWEAVER • Inter-EPG communication • Policies will be consistent (due EPG HANA
redirects to firewall (through to contract) even after VM
contract) and specifies inside Mobility
and outside interfaces • Uses native Firewall tools (CLI
• Uses APIC and ASDM in this case)
Demo
Network-Policy Mode
ASAv Routed Mode integration with VMWare
Scenario 1-A Objective
Integrating Legacy Networks/Bare-metal and Hyper-V
OUTSIDE INSIDE
2.2.2.1
1.1.1.1
GigabitEthernet0/0 GigabitEthernet0/1
ACI-Hyper-V-Win-2
1.1.1.40
Vlan 2143
1.1.1.2 2.2.2.3
Nexus-A
N5K-A
1.1.1.101
EPG NETWEAVER EPG HANA
Demo
Network-Policy Mode
ASAv Routed Mode integration with
Hyper-V and Legacy Networks
Interconnecting ACI Networks More info at BRKACI-2003 & 2125
L4-L7 Services may be deployed in all scenarios

Single APIC Cluster/Single Fabric Multiple APIC Clusters/Multiple Fabrics
Remote-Leaf (from 3.1 Release) Multi-Fabric (with L2 and L3 DCI)

IPN
ACI Fabric 1 ACI Fabric 2
DC1 DC2/Branch
L2/L3
9300 L2/L3 DCI

ACI Leaves
Multi-Pod (from 2.0 Release) Multi-Site (From 3.0 Release)
IPN
Pod ‘A’ Pod ‘n’ Site ‘A’ IP Site ‘n’
MP-BGP - EVPN MP-BGP - EVPN
… …
ACI
Multi-Site
APIC Cluster Controller
Scenario 1-A
Integrating Multi-Pod and Remote Leaf with ACI Anywhere
ACI Multi-Pod Remote DC

IP WAN/IPN - IP
Network between
Remote Leaf, ACI
PODs, ACI Sites
IP WAN L2 / L3
IPN
vlan-4
WIN-HX-1 vlan-5
1.1.1.110
ACI Main DC IP Reachability for VTEP address pool

1/3
Vlan 350
1/3
Nexus 5K-E
2.2.2.218
NETWEAVER HANA Remote Leaf Site

1.1.1.2 2.2.2.3
Demo
Network-Policy Mode
ASAv Routed Mode integration with
Multi-Pod and Remote Leaf
ASAv Go-To unmanaged mode For Your
Reference
Step-by-step configuration summary
Pre-requisites Step 1 Step 2 Step 3 Phase

Step 5:
4
Bridge Domains and VMM Create L4-L7 Device Set Concrete Device and Create Service Graph Integrate
Add a Contract and
Set Logical Device Template L4-L7 Service
Bridge domain settings: Create and map interfaces

Flood/ARP Flooding First Create a Contract to
to VM network adapters for
EP move detection/GARP allow desired traffic
ASAv to use
(inside/outside)
Note: ASAv has a management interface (network adapter)

Then drag-and drop L4-L7
to contract and associate
Do not use it as inside or outside
BDs to Interfaces
Name your inside and
If using AVS/AVE*: Assign it a name, drag and drop
outside interfaces and map
Enable VLAN+VXLAN the Device created in Step 1 and
them to the interfaces
L4-L7 Services don’t run on VXLAN define the operating mode
created on Step 2
* L4-L7 in Roadmap for AVE © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
For Your
What happened behind the scenes? Reference
Internal EPGs & Contracts created by APIC

User defined contract
Consume Provide
EPG EPG
NW
Contract
HANA
Service Graph
Internal Internal
EPG EPG
Internal Contracts Internal Contracts
Automatically created &

pushed from APIC
Scenario 1-B
Service-Policy Mode (Managed)
ACI + ASAv integration
Scenario 1-B Objective NEW:
Orchestrator
Service-Policy Mode (ACI managed): ASAv Mode
ACI 3.1
Network Adapter 2 Network Adapter 3

OUTSIDE GigabitEthernet0/0 GigabitEthernet0/1 INSIDE
1.1.1.2 2.2.2.3
Network-admin & Security-admin
• Single point of provisioning for network (Tenants, ANPs, BDs EPGs) and
firewall policies
EPG NETWEAVER • Inter-EPG communication redirects to firewall (through contract) and EPG HANA
specifies inside and outside interfaces plus firewall policies
• Only basic configuration should be done on the firewall, the rest will be
done from APIC http://www.cisco.com/c/en/us/td/docs/security/asa/apic/quick-
(
start/guide/apic_qsg12.html)
• Useful when a single person manages both areas (not all firewall
functionality may be available, depends on device package)
Demo
Service-Policy Mode
ASAv Routed Mode integration
ASAv Go-To “Managed” mode Changes from “unmanaged” mode
Step-by-step configuration summary
Pre-requisites Step 1 Step 2 Step 3 Phase

Step 5:4
Bridge Domains and VMM Create L4-L7 Device Set Concrete Device Create Service Graph Integrate
Add Service Graph
Template (Contract)
Download device-package Drag-and-drop a contact

and install it (L4-L7 Tab) for your EPGs
Follow the ASA Quick Start

Guide http://www.cisco.com/c/en/us/td/docs/security/asa/apic/quick-
start/guide/apic_qsg12.html)
Create and map interfaces Create the Service Graph

to VM network adapters for Template and assign a
Same BD Requisites than
ASAv to use Profile (L4-L7 functions to
Slide 21
(inside/outside) load) Specify the service graph and
set firewall configuration
If using AVS/AVE*:
Enable VLAN+VXLAN
L4-L7 Services don’t run on VXLAN
© 2018 Cisco
* L4-L7 and/orfor
in Roadmap itsAVE
affiliates. All rights reserved. Cisco Public
For Your
ASA Device Package Reference
Two Options (Managed and Fabric Insertion/Network-Only)

Managed – Service Policy Managed – Network Only
ASA Embedded FirePOWER FirePOWER Services

Services - Threat Polices ASA adds an Threat Defense Polices
Security team configures via FMC
option that allows Security team configures via FMC
APIC to configure
ACLs, Inspections, HA, and
insertion into fabric all other ASA features
ACLs, Inspections, HA, Special
Features
while all other ASA
Security team adds more ASA cfg.
features are
Interfaces, VLANs, IPs, Static or configured out of Interfaces, VLANs, IPs, Static
Dynamic Routes band (CLI, REST- or Dynamic Routes
APIC Configures ASA API, CSM, CDO) APIC Configures on ASA
via ASA Device Package via ASA Device Package
ASA Policy Orchestration DP ASA Fabric Insertion DP
Nexus9k Leafs/Spines - Shadow EPG VLANs, L3outs
APIC Configures Service Graph in the ACI Fabric
Go-To
Using Policy-based Redirection Mode
Selectively redirect traffic to ASA
IF HTTP = Redirect to ASA

GigabitEthernet0/0 IF ICMP = Forwarded via ACI Fabric GigabitEthernet0/1
OUTSIDE INSIDE
1.1.1.1 2.2.2.1
ACI EX Leaf 103- Spine
ICMP
E1/16
4.4.4.1 5.5.5.1 E1/15
HTTP
4.4.4.2 5.5.5.2
1.1.1.2 TenGig1/3.3114 TenGig1/2.3113
2.2.2.3

EPG NETWEAVER EPG HANA
• All BDs are in same VRF (different BDs for ASA needed)
• Support selective redirect
• One-arm FW is supported
• EX Leaves must be used to connect FW

consumer provider
Copy Services EPG

Client
Contract
EPG
Web
Copy specific traffic to specific devices Copy
• Service Graph is mandatory and EX hardware is required
• Benefits vs traditional SPAN/ERSPAN: No encapsulation, any source any destination, no IDS

SPAN session limits)
• From APIC 2.0
Original traffic goes to Web

Traffic is copied to IDS endpoint directly.
EPG Client EPG Web
Scenario 2
Inserting SLB (F5 Big IP)
We could also insert L4-L7 services without Service Graphs
F5 Big IP SLB and how it fits in our Lab Pool/Members
WebServer1
EPG NETWEAVER
DEMO-HANA Network adapter 2 Network adapter 3
1.1.1.26
Outside SLB Inside SLB

Interface Interface
WebServer2
2.2.2.25 1.1.1.25 1.1.1.27
2.2.2.100 NETWEAVER_BD
HANA_BD 1.2 1.1
Virtual IP
WebServer3
1.1.1.28
LB Method
(Round Robin)
Bind
Virtual Server
L4-L7 Services can also be integrated Bind
without a Service-Graph by statically
assigning EPGs to L4-L7 device
interfaces
Demo
F5 Big IP Server Load Balancing

insertion with NO Service Graph
BUT…. We would lose a lot of great ACI benefits like:
L4-L7 Faster
Copy services PBR Network add/moves/
automation changes
Scenario 3
Service Chaining (FTDv + Citrix VPX)
Scenario 3 Objective
Service chaining FTDv and Citrix Netscaler VPX SLB
NAT VIP 2.2.2.100 NAT VIP 3.3.3.100
OUTSIDE GW 2.2.2.1 3.3.3.1

INSIDE
BD HANA BD Chain BD Netweaver
G0/1 G0/0 G1/2 G1/1
Gateway
3.3.3.25 1.1.1.25
ACI Leaf - Spine Adapter 3
New-FTDv
Adapter 2
Adapter 3 Adapter 2 ACI Spine - Leaf 1.1.1.1
Web Servers
YOU 1.1.1.X/24
Security-Admin SLB-Admin
• Configures Rules, IDS/IPS, URL • Configures VIP, LB Method and

Filtering on the sensor Services/Service-Groups
EPG HANA • Uses native tools (CLI and FMC) • Uses native SLB tools (Netscaler EPG NETWEAVER
in this case)
Demo
Service Chaining (FTDv + Citrix VPX)
For Your
Reference
Service-chaining visual summary
CHAIN Bridge Domain
For Your
Service-chaining visual summary Reference
3 Bridge-domains created
IPs may be provisioned for
troubleshooting purposes Citrix VPX Network-config pushed from APIC
Cisco FTDv Network-config pushed from APIC
Agenda
ACI Basics review
ACI Security
What is Micro-segmentation (uSeg)?
• Micro-segmentation refers to the process of segmenting a collision domain into
various segments
• Used to enhance the efficiency or security of the network and may be based on
• VM Name
• IP/MAC Address 1.1.1.2 VM-Name
• DNS/FQDN
• Operating System
0a:01:a7:8d:d6:0b
• Many more…
• Security-zones may now be dynamically defined based on attributes and not

only via IP addresses, ports and/or static IP Switching/Routing
• ACI provides a differentiated approach on micro-segmentation since it supports
multiple hypervisors, containers and bare-metal environments with a single and
consistent policy model
Scenario 4
Microsegmentation
Ransomware
Operating System Vulnerability
Vulnerability found on CentOS!
Demo
Microsegmentation: Finding all possible

vulnerable OS installs to avoid further
attacks
AVE vs AVS vs DVS
Different options to connect your VMWare environment
Feature ACI + AVE ACI + AVS ACI + VMWare DVS
VXLAN
(local/no local)
VM Attribute based Requires EX+ Granular EPG Definition
microsegmentation Leaves using VM or networking
attributes
Multiple L2 hops between host
and leaf
You an use VMWare default VDS, Cisco AVS or Cisco AVE for your ACI environment
AVE will be available in the future (CY18) to other Hypervisors
VM Attribute-based Microsegmentation also available for Hyper-V/SCVMM
For Your
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/3-
x/virtualization/b_ACI_Virtualization_Guide_3_1_1/b_ACI_Virtualization_Guide_3_1_1_chapter_0100.html
Reference
For Your
Cisco ACI Virtual Edge Reference
Decoupled From Hypervisor Kernel API Dependencies
ACI Virtual Edge AVS (Today) Cisco AVE
User Space
VM AV
VM VM
VM VM VM
E
Policy Enforcement,
AVE
Services, Telemetry
Kernel
Switching + Native vSwitch
AVS Policy Enforcement
ACI Virtual Edge (AVE)

Hypervisor Dependent Hypervisor Agnostic
Maintain Existing Operational Simple Transition/Migration AVS => Policy Consistency Across Multiple AVS/AVE Feature
Models AVE Hypervisors Parity
Scenario 5
Service-Policy Mode
and Rapid Threat Containment
Scenario 4 Objective
Rapid Threat Containment and Micro-segmentation against Hackers/Threats
NAT VIP 2.2.2.100 NAT VIP 3.3.3.100
OUTSIDE GW 2.2.2.1 3.3.3.1 Citrix Netscaler

INSIDE
BD HANA BD Chain BD Netweaver
G0/1 G0/0 G1/2 G1/1
Gateway
Adapter 3 3.3.3.25 1.1.1.25
ACI Leaf - Spine New-FTDv
Adapter 2
Adapter 3 Adapter 2
ACI Spine - Leaf 1.1.1.1
Web Servers
LINUX-2 1.1.1.X/24
Security-admin
DEMO-LINUX
2.2.2.160 (NAT) Create Correlation event at FMC
3.3.3.15 (Real) If Correlation event is detected, push
uEGP into ACI and quarantine
attacker
EPG HANA EPG NETWEAVER
Demo
Microsegmentation and Rapid Threat

Containment with Cisco FMC
L4-L7 Service Manager Mode
Dynamic Device Package provisioning
Associate template with

2 Create Template
service graph 1
Service Device Controller
Deploy L2-3 3 3 Deploy L4-7 Configuration

Configuration
4 4
Service device keeps full native functions

and customizable parameters available
Why Service Manager Mode?
Deploy Preserve Maintain

Apps Administrative L2-L7 Operational
Faster Boundaries Automation Flexibility
For Your
Reference
ACI ADC L4-7 Integration
Ecosystem Partner Network Policy Service Policy Service Manager
✓ ✘
✓
✓ ✓
MAS
✓
✓ ✓
vDirect
Roadmap
✓ ✓
aGalaxy
Pending Certification
✓ ✘ Service Manager with API
Using programmability on ACI to deploy L4-L7 services
Automating Cisco ACI and F5 BIG-IP Deployment with Ansible
• ACI operational success is its capability to execute the entire workflow by REST API
• F5 BIG-IP has rich API foundation and Ansible modules to integrate with Cisco ACI
Key Benefits:
• Loose coupling allows integration flexibility (plug in

new components / remove outdated technologies)
• Multiple vendors software version dependency no

longer applies
• Maintain consistent F5 BIG-IP features and deployment

ownerships
For Your
Reference
ACI Security Enforcement L4-7 Integration
Ecosystem Partner Network Policy Service Policy Service Manager
✓ ✓
✓
Cisco ASA NGFW FMC
✓
✓ ✘
vSec
Roadmap
✓ ✓
FortiManager
✓
✓ ✘
Panorama
ACI Cloud Orchestrator L4-7 Integrations For Your
Reference
Network Service Cloud

Partner Service Policy
Policy Manager Orchestrator
✓ ✓ Q1CY2018
✓
Cisco ASA NGFW FMC Cisco ASA
✓ Q1CY2018
✓ ✘
vSec vSec
✓ ✓
✓ ✓
MAS MAS and NS
As shown in today’s Service Policy demo!
Agenda
ACI Basics review
Scenario 1: Network-Policy mode vs Service-
Scenario 2: Inserting SLB (Citrix Netscaler)
Scenario 3: Service-chaining (Firewall + SLB)
ACI Security
Challenges in application segmentation
ACI Programmability use-cases
How to define a Zero-Trust Model How to rapidly deploy that model into
for my applications? ACI for enforcement?
• Contracts & Filters

• EPGs
ACI App Store
Demo
Tetration and ACI automatic

enforcement integration
ACI and AppDynamics
Coming soon!
Enhanced Visibility & Monitoring Troubleshooting
• Instant visibility into Application Service Endpoints and • Reduce MTTR for business service outages
Business Transactions correlating to ACI fabric and
constructs • Seamlessly automate and handoff troubleshooting
workflow between AppDynamics Application Endpoints to
• Monitor health of your Application Services and Business context aware APIC
Transactions on APIC
PLACEHOLDER FOR ACI APP

SCREENSHOT
Made
Made available
available
through ACI
through AppD
AppCenter
Controller
Agenda
ACI Basics review
ACI Security
Demo
Cloud Center and ACI Integration
ACI Benefits for Security and L4-L7 Services
Consistent security for all your Data Center needs today and tomorrow
Cisco Cloud Center

Cisco Network
Assurance Engine
Past Present Future

Discover your applications Integrate L4-L7 services easier IaaS with zero-trust integrated
Using ADM and ACI, discover Automate network connectivity for Provision your services with
how your apps communicate and your virtual and/or physical devices integrated security through Cloud
push a zero-trust model and integrate monitoring/managing if Center Application Profiles which
automatically to ACI desired by APIC or in conjunction with can be integrated into ACI for a
a device controller consistent model
Use your network as a sensor
Monitor your applications and Microsegment anything Multi-cloud consistency. Secure
their performance in real-time Multi-hypervisor and bare-metal loads your applications regardless their
with hardware/software sensors through a single policy-model. location, either on-prem with ACI
Segment by OS, IP, Attribute or even or off-prem at your public cloud
by pattern (as shown with FMC) without remodeling
Summary and Conclusions
ACI Anywhere
Any Workload, Any Location, Any Cloud
ACI Anywhere
Remote PoD Multi-Pod / Multi-Site Hybrid Cloud Extension
IP IP
WAN WAN
Remote Location On Premise Public Cloud
Security Everywhere Analytics Everywhere Policy Everywhere
Cisco Intent-Based Data Center
Operational transformation for an analytics-driven secure multi-cloud world
Cost Compliance Analytics
Learn & Adjust/Model & Orchestrate Network Assurance/Analysis Segmentation/Infra Application/Business
Network Assurance Multi-Cloud IT / Business

CWOM Engine Tetration AppDynamics
Insights
Cisco security
Cisco
portfolio
Model Once Multi-Cloud

CloudCenter Deploy Anywhere
Service Modeling
Hybrid-Cloud
Google Cloud Infrastructure Integration
Anywhere Platform
Software-Defined
ACI Networking HyperFlex Storage UCS Compute
Infrastructure
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKACI-2506
• Please complete your Online Complete Your Online
Session Evaluations after each
session
Session Evaluation
• Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you

Aci l4 l7 Integration Brkaci-2506

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aci l4 l7 Integration Brkaci-2506

Uploaded by

Copyright:

Available Formats

BRKACI-2506

How to easily integrate

• Focus on Simplicity with a Network/Security Approach!

Cost Compliance Analytics

Model Once Multi-Cloud

Nexus 5000 Parent Switch

Nexus 2000 Fabric Extenders

Managed as a single chassis

#1 4,500+ 65+ 15,000+

SDN Solution ACI Ecosystem Nexus 9K

11 79% 100100 3 sec 406

ACI Operational Benefits Review

ACI Services Graph

Network Policy Mode Service Policy Mode Service Manager Mode

No Device Service Cluster L4- L7 Device L4- L7 Device Service Cluster

Full L4-L7 Centralized Full L4-L7 Automation with

• Mostly used by Firewalls

• May be used by SLBs

Transparent Mode 2-arm (Go-Through)

Service Graph Function Node

• Configures network (Tenants, Configures firewall mode &

Network Adapter 2 Network Adapter 3

• Configures network (Tenants, Configures firewall mode &

EPG NETWEAVER EPG HANA

L4-L7 Services may be deployed in all scenarios

Remote-Leaf (from 3.1 Release) Multi-Fabric (with L2 and L3 DCI)

9300 L2/L3 DCI

Multi-Pod (from 2.0 Release) Multi-Site (From 3.0 Release)

MP-BGP - EVPN MP-BGP - EVPN

ACI Multi-Pod Remote DC

ACI Main DC IP Reachability for VTEP address pool

NETWEAVER HANA Remote Leaf Site

Pre-requisites Step 1 Step 2 Step 3 Phase

Bridge domain settings: Create and map interfaces

Note: ASAv has a management interface (network adapter)

Internal EPGs & Contracts created by APIC

Automatically created &

Network Adapter 2 Network Adapter 3

Step-by-step configuration summary

Pre-requisites Step 1 Step 2 Step 3 Phase

Download device-package Drag-and-drop a contact

Follow the ASA Quick Start

Create and map interfaces Create the Service Graph

Two Options (Managed and Fabric Insertion/Network-Only)

ASA Embedded FirePOWER FirePOWER Services

ASA Policy Orchestration DP ASA Fabric Insertion DP

Nexus9k Leafs/Spines - Shadow EPG VLANs, L3outs

APIC Configures Service Graph in the ACI Fabric

IF HTTP = Redirect to ASA

Rule: permit ip traffic

• Support selective redirect

• EX Leaves must be used to connect FW

Copy Services EPG

Copy specific traffic to specific devices Copy

• Service Graph is mandatory and EX hardware is required

• Benefits vs traditional SPAN/ERSPAN: No encapsulation, any source any destination, no IDS

• From APIC 2.0

Original traffic goes to Web

EPG Client EPG Web

Outside SLB Inside SLB

F5 Big IP Server Load Balancing

OUTSIDE GW 2.2.2.1 3.3.3.1

• Configures Rules, IDS/IPS, URL • Configures VIP, LB Method and

CHAIN Bridge Domain