Professional Documents
Culture Documents
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKACI-2506
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What to expect from this session
• This is NOT another Power-Point only session
• We will focus on the most-common scenarios that you need to know to implement Security and/or
L4-L7 services on ACI
• This session is based on lessons learned from production-grade ACI network implementations
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
ACI Basics review
L4-L7 integration modes overview and basics
Scenario 1: Network-Policy vs Service-
Policy mode (ASAv/Firewall)
Other possible scenarios
Scenario 2: Inserting SLB (F5 Big IP)
Scenario 3: Service-chaining (FTDv + Citrix)
ACI Security
Scenario 4: Micro-segmentation
Scenario 5: RTC & Service-Manager mode
ACI and Tetration Analytics
Scenario 6: ACI Automated zero-trust network-
configuration for existing environments
ACI and Cloud Center
Scenario 7: ACI Automated zero-trust for IaaS
Agenda
ACI Basics review
L4-L7 integration modes overview and basics
Scenario 1: Network-Policy vs Service-
Policy mode (ASAv/Firewall)
Other possible scenarios
Scenario 2: Inserting SLB (F5 Big IP)
Scenario 3: Service-chaining (FTDv + Citrix)
ACI Security
Scenario 4: Micro-segmentation
Scenario 5: RTC & Service-Manager mode
ACI and Tetration Analytics
Scenario 6: ACI Automated zero-trust network-
configuration for existing environments
ACI and Cloud
Scenario 7: ACI Automated zero-trust for IaaS
The Perfect Storm
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
App is the new business
Developer is the new Customer
Multicloud is the new Data Center
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Intent-Based Data Center
Operational transformation for an analytics-driven secure multi-cloud world
Network
CWOM Tetration AppDynamics Multi-Cloud IT / Business
Assurance Engine
Insights
Cisco security
Cisco
portfolio
Hybrid-Cloud
Google Cloud Infrastructure Integration
Anywhere Platform
Software-Defined
ACI Networking HyperFlex Storage UCS Compute
Infrastructure
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Simpler has always proofed to be successful
Cisco has done this in the past, but it is time to disrupt the market again
9 2 48
Fixed Catalyst 3750 Modular Catalyst Nexus 5K/2KFEX
StackWise 4500/6500 VSS (no local switching)
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
VIDEO
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
The DC network before The DC network NOW
Classic modular switching ACI
Linecards (4,8,16)
Supervisors
(1, 3 or more)
Fabric Cards
(1 to 6)
SPINE
Supervisors
(1 or 2) L2 VXLAN
No STP
LEAVES Linecards
(From 1 to 400)
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
VIDEO
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ACI: SDN anywhere
Bringing the best of a Hardware + Software solution
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
*: Q1CY18
Demo
Protect
Your
Business
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Multi-Site
ACI Anywhere
Any Workload, Any Location, Any Cloud
Site A
Site C (Remote Leaf)
Public Cloud*
Site B
Security Everywhere
*Q4 FY18
Analytics Everywhere VM VM VM
Policy Everywhere
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Sw(config)#vlan 10
Sw(config)#name NETWEAVER
Sw(config)#vlan 20
Our basic setup for today Sw(config)#name HANA
We are not configuring anything we don’t know as network/security admins!
Tenant (CISCO_LIVE)
Application Network Profile (ANP) = Applications (SAP)
End-Point Groups (EPGs) = Roles in the app (NETWEAVER, HANA)
By default
EPG=VLAN
Communication inside an EPG is allowed by default
Communication between EPGs is not allowed by default unless a contract exists
A contract is equal to an ACL
Routing may be done by the fabric (Anycast Gateway defined in Bridge
Domains and associated to EPGs) or externally
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Demo
ACI Basic Setup build-up
Agenda
ACI Basics review
L4-L7 integration modes overview and basics
Scenario 1: Network-Policy vs Service-
Policy mode (ASAv/Firewall)
Other possible scenarios
Scenario 2: Inserting SLB (F5 Big IP)
Scenario 3: Service-chaining (FTDv + Citrix)
ACI Security
Scenario 4: Micro-segmentation
Scenario 5: RTC & Service-Manager mode
ACI and Tetration Analytics
Scenario 6: ACI Automated zero-trust network-
configuration for existing environments
ACI and Cloud Center
Scenario 7: ACI Automated zero-trust for IaaS
ACI L4-L7 Service Automation
Different approaches – Support for All Devices
L4-7 Service Automation L4-7 Services
Easy (redirect only) Integrated (redirect and configure) Integrated (redirect and configure)
Network-admin and Services/Security-admin are Single point of provisioning for network AND Joint L4-L7 management between APIC and
different people services Service Device Controller(e.g. FMC, Netscaler MAS,
Full L4-L7 service functionality (native tools) L4-L7 Functionality depends on the fixed device etc)
Also known as “Unmanaged” package Full L4-L7 functionality with APIC integration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
L4-L7 Services Insertion options and ACI basic terminology
Leaf 101
Two-Arm Outside (Insecure)
Leaf 102
Inside
One-Arm (Secure)
Leaf 101
IN & OUT
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
L4-L7 Services Insertion options and ACI basic terminology
Routed Mode 2-arm (Go-To)
FW/SLB/IPS will
Outside Inside do routing
between EPGs
EPG
Netweaver
Service
1.1.1.1Graph 2.2.2.1 EPG
HANA
1.1.1.2/24 (On-top of a Contract) 2.2.2.3/24
Tenant CISCO_LIVE
Tenant CISCO_LIVE
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
L4-L7 Services Insertion options and ACI basic terminology
• Logical Device
• Represents a cluster of 2 devices that operate in active/standby mode for instance.
• Configure logical interfaces (defined in the device model) to be used for device selection
policy
• Defines Cluster wide parameters where applicable, such as NTP, DNS, etc.
• Concrete Device
• Represents a service device, e.g. one load balancer, or one firewall. Can be physical or
virtual
Logical Device
SLB
Concrete Device Concrete Device
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Scenario 1-A
Network-Policy Mode (Unmanaged)
ACI + ASAv integration
Scenario 1-A Objective
Network-Policy Mode (unmanaged): ASAv
Rule: permit ip traffic
OUTSIDE INSIDE
BD Netweaver BD HANA
ACI Leaf - Spine ACI Spine - Leaf
DEMO-NETWEAVER DEMO-HANA
1.1.1.2 2.2.2.3
Network-admin Security-admin
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Scenario 1-A Objective Go-To
Network-Policy Mode (unmanaged): ASAv with VMWare Mode
Rule: permit ip traffic
2.2.2.1
1.1.1.1
GigabitEthernet0/0 GigabitEthernet0/1
BD Netweaver BD HANA
ACI Leaf - Spine ACI Spine - Leaf
DEMO-NETWEAVER DEMO-HANA
1.1.1.2 2.2.2.3
Network-admin Security-admin
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Demo
Network-Policy Mode
ASAv Routed Mode integration with VMWare
Scenario 1-A Objective
Integrating Legacy Networks/Bare-metal and Hyper-V
Rule: permit ip traffic
OUTSIDE INSIDE
2.2.2.1
1.1.1.1
GigabitEthernet0/0 GigabitEthernet0/1
BD Netweaver BD HANA
ACI Leaf - Spine ACI Spine - Leaf
ACI-Hyper-V-Win-2
1.1.1.40
Vlan 2143
DEMO-NETWEAVER DEMO-HANA
1.1.1.2 2.2.2.3
Nexus-A
N5K-A
1.1.1.101
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Demo
Network-Policy Mode
ASAv Routed Mode integration with
Hyper-V and Legacy Networks
Interconnecting ACI Networks More info at BRKACI-2003 & 2125
IPN
Pod ‘A’ Pod ‘n’ Site ‘A’ IP Site ‘n’
… …
ACI
Multi-Site
APIC Cluster Controller
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scenario 1-A
Integrating Multi-Pod and Remote Leaf with ACI Anywhere
Vlan 350
1/3
Nexus 5K-E
2.2.2.218
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Demo
Network-Policy Mode
ASAv Routed Mode integration with
Multi-Pod and Remote Leaf
ASAv Go-To unmanaged mode For Your
Reference
Step-by-step configuration summary
BDs to Interfaces
Name your inside and
If using AVS/AVE*: Assign it a name, drag and drop
outside interfaces and map
Enable VLAN+VXLAN the Device created in Step 1 and
them to the interfaces
L4-L7 Services don’t run on VXLAN define the operating mode
created on Step 2
* L4-L7 in Roadmap for AVE © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
For Your
What happened behind the scenes? Reference
Consume Provide
EPG EPG
NW
Contract
HANA
Service Graph
Internal Internal
EPG EPG
Internal Contracts Internal Contracts
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Scenario 1-B
Service-Policy Mode (Managed)
ACI + ASAv integration
Scenario 1-B Objective NEW:
Orchestrator
Service-Policy Mode (ACI managed): ASAv Mode
ACI 3.1
Rule: permit ip traffic
BD Netweaver BD HANA
ACI Leaf - Spine ACI Spine - Leaf
DEMO-NETWEAVER DEMO-HANA
1.1.1.2 2.2.2.3
Network-admin & Security-admin
• Single point of provisioning for network (Tenants, ANPs, BDs EPGs) and
firewall policies
EPG NETWEAVER • Inter-EPG communication redirects to firewall (through contract) and EPG HANA
specifies inside and outside interfaces plus firewall policies
• Only basic configuration should be done on the firewall, the rest will be
done from APIC http://www.cisco.com/c/en/us/td/docs/security/asa/apic/quick-
(
start/guide/apic_qsg12.html)
• Useful when a single person manages both areas (not all firewall
functionality may be available, depends on device package)
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Demo
Service-Policy Mode
ASAv Routed Mode integration
ASAv Go-To “Managed” mode Changes from “unmanaged” mode
If using AVS/AVE*:
Enable VLAN+VXLAN
L4-L7 Services don’t run on VXLAN
© 2018 Cisco
* L4-L7 and/orfor
in Roadmap itsAVE
affiliates. All rights reserved. Cisco Public
For Your
ASA Device Package Reference
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Other possible scenarios
Go-To
Using Policy-based Redirection Mode
Selectively redirect traffic to ASA
OUTSIDE INSIDE
BD Netweaver BD HANA
ACI Leaf - Spine ACI Spine - Leaf
1.1.1.1 2.2.2.1
ACI EX Leaf 103- Spine
ICMP
E1/16
4.4.4.1 5.5.5.1 E1/15
HTTP
4.4.4.2 5.5.5.2
DEMO-NETWEAVER DEMO-HANA
1.1.1.2 TenGig1/3.3114 TenGig1/2.3113
2.2.2.3
• One-arm FW is supported
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Scenario 2
Inserting SLB (F5 Big IP)
We could also insert L4-L7 services without Service Graphs
F5 Big IP SLB and how it fits in our Lab Pool/Members
WebServer1
EPG NETWEAVER
DEMO-HANA Network adapter 2 Network adapter 3
1.1.1.26
Virtual IP
WebServer3
1.1.1.28
LB Method
(Round Robin)
Bind
Virtual Server
L4-L7 Services can also be integrated Bind
without a Service-Graph by statically
assigning EPGs to L4-L7 device
interfaces
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Demo
L4-L7 Faster
Copy services PBR Network add/moves/
automation changes
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Scenario 3
Service Chaining (FTDv + Citrix VPX)
Scenario 3 Objective
Service chaining FTDv and Citrix Netscaler VPX SLB
NAT VIP 2.2.2.100 NAT VIP 3.3.3.100
Web Servers
YOU 1.1.1.X/24
Security-Admin SLB-Admin
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Demo
Service Chaining (FTDv + Citrix VPX)
For Your
Reference
Service-chaining visual summary
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
For Your
Service-chaining visual summary Reference
3 Bridge-domains created
IPs may be provisioned for
troubleshooting purposes Citrix VPX Network-config pushed from APIC
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Agenda
ACI Basics review
L4-L7 integration modes overview and basics
Scenario 1: Network-Policy vs Service-
Policy mode (ASAv/Firewall)
Other possible scenarios
Scenario 2: Inserting SLB (F5 Big IP)
Scenario 3: Service-chaining (FTDv + Citrix)
ACI Security
Scenario 4: Micro-segmentation
Scenario 5: RTC & Service-Manager mode
ACI and Tetration Analytics
Scenario 6: ACI Automated zero-trust network-
configuration for existing environments
ACI and Cloud Center
Scenario 7: ACI Automated zero-trust for IaaS
What is Micro-segmentation (uSeg)?
• Micro-segmentation refers to the process of segmenting a collision domain into
various segments
• Used to enhance the efficiency or security of the network and may be based on
• VM Name
• IP/MAC Address 1.1.1.2 VM-Name
• DNS/FQDN
• Operating System
0a:01:a7:8d:d6:0b
• Many more…
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Scenario 4
Microsegmentation
Ransomware
Operating System Vulnerability
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Demo
VXLAN
(local/no local)
VM Attribute based Requires EX+ Granular EPG Definition
microsegmentation Leaves using VM or networking
attributes
Multiple L2 hops between host
and leaf
You an use VMWare default VDS, Cisco AVS or Cisco AVE for your ACI environment
AVE will be available in the future (CY18) to other Hypervisors
VM Attribute-based Microsegmentation also available for Hyper-V/SCVMM
For Your
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/3-
x/virtualization/b_ACI_Virtualization_Guide_3_1_1/b_ACI_Virtualization_Guide_3_1_1_chapter_0100.html
Reference
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
For Your
Cisco ACI Virtual Edge Reference
User Space
VM AV
VM VM
VM VM VM
E
Policy Enforcement,
AVE
Services, Telemetry
Kernel
Switching + Native vSwitch
AVS Policy Enforcement
Maintain Existing Operational Simple Transition/Migration AVS => Policy Consistency Across Multiple AVS/AVE Feature
Models AVE Hypervisors Parity
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scenario 5
Service-Policy Mode
and Rapid Threat Containment
Scenario 4 Objective
Rapid Threat Containment and Micro-segmentation against Hackers/Threats
Web Servers
LINUX-2 1.1.1.X/24
Security-admin
DEMO-LINUX
2.2.2.160 (NAT) Create Correlation event at FMC
3.3.3.15 (Real) If Correlation event is detected, push
uEGP into ACI and quarantine
attacker
EPG HANA EPG NETWEAVER
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Demo
4 4
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
For Your
Reference
ACI ADC L4-7 Integration
Ecosystem Partner Network Policy Service Policy Service Manager
✓ ✘
✓
✓ ✓
MAS
✓
✓ ✓
vDirect
Roadmap
✓ ✓
aGalaxy
Pending Certification
✓ ✘ Service Manager with API
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Using programmability on ACI to deploy L4-L7 services
Automating Cisco ACI and F5 BIG-IP Deployment with Ansible
• ACI operational success is its capability to execute the entire workflow by REST API
• F5 BIG-IP has rich API foundation and Ansible modules to integrate with Cisco ACI
Key Benefits:
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
For Your
Reference
ACI Security Enforcement L4-7 Integration
Ecosystem Partner Network Policy Service Policy Service Manager
✓ ✓
✓
Cisco ASA NGFW FMC
✓
✓ ✘
vSec
Roadmap
✓ ✓
FortiManager
✓
✓ ✘
Panorama
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
ACI Cloud Orchestrator L4-7 Integrations For Your
Reference
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Agenda
ACI Basics review
L4-L7 integration modes overview and basics
Scenario 1: Network-Policy mode vs Service-
Policy mode (ASAv/Firewall)
Other possible scenarios
Scenario 2: Inserting SLB (Citrix Netscaler)
Scenario 3: Service-chaining (Firewall + SLB)
ACI Security
Scenario 4: Micro-segmentation
Scenario 5: RTC & Service-Manager mode
ACI and Tetration Analytics
Scenario 6: ACI Automated zero-trust network-
configuration for existing environments
ACI and Cloud Center
Scenario 7: ACI Automated zero-trust for IaaS
Challenges in application segmentation
ACI Programmability use-cases
How to define a Zero-Trust Model How to rapidly deploy that model into
for my applications? ACI for enforcement?
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Demo
• Instant visibility into Application Service Endpoints and • Reduce MTTR for business service outages
Business Transactions correlating to ACI fabric and
constructs • Seamlessly automate and handoff troubleshooting
workflow between AppDynamics Application Endpoints to
• Monitor health of your Application Services and Business context aware APIC
Transactions on APIC
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Agenda
ACI Basics review
L4-L7 integration modes overview and basics
Scenario 1: Network-Policy vs Service-
Policy mode (ASAv/Firewall)
Other possible scenarios
Scenario 2: Inserting SLB (F5 Big IP)
Scenario 3: Service-chaining (FTDv + Citrix)
ACI Security
Scenario 4: Micro-segmentation
Scenario 5: RTC & Service-Manager mode
ACI and Tetration Analytics
Scenario 6: ACI Automated zero-trust network-
configuration for existing environments
ACI and Cloud Center
Scenario 7: ACI Automated zero-trust for IaaS
Demo
Cloud Center and ACI Integration
ACI Benefits for Security and L4-L7 Services
Consistent security for all your Data Center needs today and tomorrow
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Summary and Conclusions
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Anywhere
Any Workload, Any Location, Any Cloud
ACI Anywhere
IP IP
WAN WAN
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Cisco Intent-Based Data Center
Operational transformation for an analytics-driven secure multi-cloud world
Cost Compliance Analytics
Learn & Adjust/Model & Orchestrate Network Assurance/Analysis Segmentation/Infra Application/Business
Cisco
portfolio
Hybrid-Cloud
Google Cloud Infrastructure Integration
Anywhere Platform
Software-Defined
ACI Networking HyperFlex Storage UCS Compute
Infrastructure
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKACI-2506
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Complete Your Online
Session Evaluations after each
session
Session Evaluation
• Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
BRKACI-2506 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Thank you