Professional Documents
Culture Documents
BRKDCN 2984
BRKDCN 2984
BRKDCN-2984
Agenda
• Setting the scene
• Network Centric vs Application Centric
• Greenfield vs Brownfield
• Converting from Network Centric to Application Centric
• Allowing open communication
• ESGs under the covers
• L4-L7 service integration
• External connectivity
• Increasing security
• Automated blueprints
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Why are you here…?
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
ACI - "just another network", or the foundation of an internal private cloud?
There are thousands of customers globally who have successfully deployed ACI fabrics and operate them as "just another network", but what if you could
operate your ACI fabric as programmable private cloud infrastructure?
In this session we will look at how you can operate your ACI fabric as the foundation of an internal private cloud. We will look at how to migrate services onto
an ACI fabric (network centric) and then implement segmentation (application centric). We will look at how to use Endpoint Security Groups to wrap security
around endpoints within a VRF. We will then see how we can block East / West traffic within a hypervisor, and finally we'll dynamically add in firewalls to
provide targeted L7 control.
If you're thinking this might prove time consuming to implement from the UI, we will show how all the configuration can be fully automated using Terraform.
Consuming an ACI fabric as "just another cloud" allows organisations choice on where to place workloads. Whether workloads are hosted in a public cloud,
or on an on-premise private cloud, the consumption model should, and can, be the same.
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Before we get started…
There are lots (and lots) of details in this presentation, please
download through the Ciscolive app.
Well unless you have binoculars with you…!
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Icons
L3out EPG ESG Cont
Tenant L3out EPG ESG Contract
BD
Entry
Bridge Domain
Entry
Subnets
Subnets *arrows indicate expected direction of traffic flow i.e. from consumer to provider
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Icons
name L3out EPG name ESG Cont
name
name name
C CCI I P
AP name extEPG
EPG ESG Filt
name
name name name
C CCI I P C CCI I P
extEPG
BD name
name C CCI I P C CCI I P
Entry
EPG ESG
name
C CCI I P name name
C CCI I P C CCI I P
C CCI I P
Subnets extEPG
name name
EPG ESG
C CCI I P
*arrows indicate expected direction of traffic flow i.e. from consumer to provider Resize by dragging the
inner bottom right handle
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Icons - small
name L3out EPG name ESG Cont
name
name name
C CCI I P
AP name extEPG
EPG ESG Filt
name
name name name
C CCI I P C CCI I P
extEPG
BD name
name C CCI I P C CCI I P Entry
EPG ESG
name
C CCI I P name name
C CCI I P C CCI I P
C CCI I P
Subnets extEPG
name name EPG
C CCI I P vzAny
C CCI I P
extEPG
EPG
name
vzAny
C CCI I P
C CCI I P
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
The ACI reference application from circa 2014…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
The mythical three tier application…!
Web App DB
APIC
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Our reference application for this presentation…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Online Boutique
https://github.com/GoogleCloudPlatform/microservices-demo
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Online Boutique
https://github.com/GoogleCloudPlatform/microservices-demo
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Who hasn’t heard of “the journey to the cloud”…?
AWS reference architecture
https://docs.aws.amazon.com/vpc/latest/userguide/extend-intro.html
AWS Backbone
eu-west-1-production eu-west-2-production
Public subnet Private subnet Public subnet Private subnet
NAT gateway Route table Route table Transit NAT gateway Route table Route table
Gateway
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Network Connectivity and Security are mandatory in the
cloud…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Different clouds run different hypervisors
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Executive Cross Functional
Sponsorship Teams
New Talent
Scaling
Attraction
Evolution Instead
Partnerships 2.0
of Revolution
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
A cloud operating model succeeds best when there is a
new organizational culture…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Cloud operating models have changed the way that
security is implemented…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
With a cloud operating model, security rules are typically
declared with the application constructs…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Conversely, within enterprise Data Centers security has
been implemented by network and/or security
administrators at a VRF boundary…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Traditional Enterprise Security Model
Outside Inside
ubuntu-01 ubuntu-02
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
ACI is the foundation for an internal private cloud…!
Hybrid cloud capability; Single API Model for 100s of Infrastructure as Code with
public cloud-like networking switches and 1000s of ports; Ansible and Terraform
constructs cloud-like consumption model
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Network Centric vs Application Centric
What does Google say about the different modes…?
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
What does Google say about migration from one mode
to another…?
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Where should we start…?
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Design Considerations…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Design Patterns VRFs and BDs in “common”
with EPGs and ESGs in the
VRFs in “common” with
BDs, EPGs and ESGs in
Everything in the “common” “user” tenant the “user” tenant
Tenant is not typically seen
tn-common tn-common tn-common
AP
tn-demo
Network EPG EPG
VLAN VLAN
Segments (Security isolation per (Security isolation per BD subnet(s) BD subnet(s)
Bridge Domain) Bridge Domain)
tn-demo
AP
EPG EPG AP Network EPG EPG
VLAN VLAN VLAN VLAN
EPG EPG Segments (Security isolation per (Security isolation per
(Security isolation per (Security isolation per Network VLAN VLAN
Bridge Domain) Bridge Domain) Segments Bridge Domain) Bridge Domain)
(Security isolation per (Security isolation per
Bridge Domain) Bridge Domain)
EPG EPG
VLAN VLAN
AP EPG EPG (Security isolation per (Security isolation per
VLAN VLAN
Bridge Domain) Bridge Domain)
ESG (Security isolation per (Security isolation per
Apps
Bridge Domain) Bridge Domain)
(Optional)
Security isolation across Bridge Domains
AP
AP Apps ESG
ESG (Optional)
Apps Security isolation across Bridge Domains
Typically, fewer larger subnets which can Dedicated subnets for tenants with VRFs
be (optionally) shared across Tenants that can be (optionally) shared by different
Tenants
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Design Patterns Network team controls
inbound/outbound routing
Large subnets can be
shared across Tenants
All networking constructs
contained within a Tenant
tn-demo tn-shared-services tn-shared-services
BD subnet(s) BD subnet(s)
AP
tn-demo tn-common
Network EPG EPG
VLAN VLAN
Segments (Security isolation per (Security isolation per vrf-01 common.vrf-01
Bridge Domain) Bridge Domain)
BD subnet(s) BD subnet(s) BD subnet(s)
EPG EPG
VLAN VLAN AP
(Security isolation per (Security isolation per
Bridge Domain) Bridge Domain) Network EPG EPG
VLAN VLAN
Segments (Security isolation per (Security isolation per
Bridge Domain) Bridge Domain)
tn-demo tn-test
AP
EPG EPG AP AP
VLAN VLAN
Apps ESG (Security isolation per (Security isolation per Network EPG Network EPG
(Optional) Bridge Domain) Bridge Domain) VLAN VLAN
Security isolation across Bridge Domains Segments Segments
(Security isolation per (Security isolation per
Bridge Domain) Bridge Domain)
AP EPG EPG
VLAN VLAN
Apps ESG (Security isolation per (Security isolation per
Dedicated VRFs and subnets for each (Optional)
Security isolation across Bridge Domains
Bridge Domain) Bridge Domain)
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Each Tenant has their own IP Range
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Convert Brownfield Network Centric
environment to Application Centric
environment
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Network engineers “view” of their ACI environment…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Workloads identified by IP and Mac address
tn-demo
vrf-01
AP
EPG 192.168.150.0_24 EPG 192.168.151.0_24 EPG 192.168.152.0_24 EPG 192.168.153.0_24 EPG 192.168.154.0_24 EPG 192.168.155.0_24 EPG 192.168.156.0_24
network-segments
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
What does the application owner care about…?
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
DNS names, IP addresses, Default Gateways, and
Security Rules…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Online Boutique
https://github.com/GoogleCloudPlatform/microservices-demo
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Online Boutique
https://github.com/GoogleCloudPlatform/microservices-demo
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Endpoints span subnets
tn-demo
vrf-01
AP
EPG 192.168.150.0_24 EPG 192.168.151.0_24 EPG 192.168.152.0_24 EPG 192.168.153.0_24 EPG 192.168.154.0_24 EPG 192.168.155.0_24 EPG 192.168.156.0_24
network-segments
checkout
payment
Redis cache
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Let’s convert to “Application Centric” mode
tn-demo
vrf-01
AP
EPG 192.168.150.0_24 EPG 192.168.151.0_24 EPG 192.168.152.0_24 EPG 192.168.153.0_24 EPG 192.168.154.0_24 EPG 192.168.155.0_24 EPG 192.168.156.0_24
network-segments
frontend
Bridge Domains
checkout
payment
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
You can convert from Network Centric mode to
Application Centric mode in Two Steps…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Step 1: Create Application Profiles and Security Groups
Application Profile for EPG
demo
mapped Endpoint Security
Groups
vrf-01
Contract allowing open or AP epg-matched-esg
network-segments
C CCI I P
Single “network-segments”
Endpoint Security Group for all
BD 192.168.150.0_24 BD 192.168.151.0_24 BD 192.168.152.0_24
ESXi hosts
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Step 2: Create ACI Tags to match vCenter Tags
vCenter Application Workload
Tags
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Endpoints automatically move to new Security Group
Application Profile for EPG
demo
mapped Endpoint Security
vrf-01
Groups
AP epg-matched-esg
Single “network-segments”
Endpoint Security Group for all
BD 192.168.150.0_24 BD 192.168.151.0_24 BD 192.168.152.0_24
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Automated conversion to “Application Centric”
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Allowing open communication in a
Brownfield environment…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
There are four options…
https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-743951.html#Migrationexample
• vzAny
• Preferred Groups
• EPGs mapped Endpoint Security Groups
• Disable security (not covered, because why would you…?)
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
vzAny operation – consumer and provider
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_KB_Use_vzAny_to_AutomaticallyApplyCommunicationRules_toEPGs.html
demo
vrf-01
Entry
C CCI I P
EPG unspecified
vzAny
C CCI I P
vzAny as a contract Provider and
Consumer means that all EPGs (inc
extEPG) are implicitly Providers
and Consumers of the contract
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Preferred Groups
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_KB_Use_vzAny_to_AutomaticallyApplyCommunicationRules_toEPGs.html
demo
vrf-01
There is only one
preferred group per VRF
Preferred Group
BD 192.168.150.0_24 BD 192.168.151.0_24 BD 192.168.152.0_24 Enable Preferred Group
C CCI
EPG
I P C CCI
EPG
I P C CCI
EPG
I P
on VRF
192.168.150.0_24 192.168.151.0_24 192.168.152.0_24
dynamic (P,S) vlans dynamic (P,S) vlans dynamic (P,S) vlans
Intra EPG = Unenforced Intra EPG = Unenforced Intra EPG = Unenforced
C CCI I P C CCI I P C CCI I P
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
EPGs mapped to Endpoint Security Groups
Application Profile for EPG
demo
mapped Endpoint Security
vrf-01
Groups
AP epg-matched-esg
ESG
network-segments
C CCI I P
Single “network-segments”
Endpoint Security Group for all
BD 192.168.150.0_24 BD 192.168.151.0_24 BD 192.168.152.0_24
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Let’s step back and look at the impact of the changes…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Bridge Domain to EPG Mapping
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Isolated groups of workloads
demo
vrf-01
ESXi Host: 10.237.98.145 ESXi Host: 10.237.98.146 ESXi Host: 10.237.98.147 ESXi Host: 10.237.98.148
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Each EPG has a unique security Tag (pcTag)
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Enable Endpoint Security Groups Primary/Port Encap VLANs not
required for directly attached hosts
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
ESGs allow control E/W traffic within the Hypervisor
demo
vrf-01
C CCI I P
EPG
vzAny
ubuntu-03
(allowing ICMP) 192.168.152.21
C CCI I P
ESXi Host: 10.237.98.145 ESXi Host: 10.237.98.146 ESXi Host: 10.237.98.147 ESXi Host: 10.237.98.148
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Let’s create an EPG matched Security Group…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Create EPG matched Security Group
Static EPG to
demo ESG mapping
vrf-01 AP epg-matched-esg
C CCI I P
EPG ESG
vzAny
(allowing ICMP) network-segments
ESXi Host: 10.237.98.145 ESXi Host: 10.237.98.146 ESXi Host: 10.237.98.147 ESXi Host: 10.237.98.148
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Create Application Profile for Security Groups
New Application Profile
for Security Groups
epg-matched-security-groups
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Create new ESG for Network Segments
Enter ESG name
“group-01”
Create new
ESG
Add EPGs
Finish
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Matched EPGs now classified with a common pcTag
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Let’s add the remaining EPG to the Security Group…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Add remaining EPG to Single Security Zone
demo
ESXi Host: 10.237.98.145 ESXi Host: 10.237.98.146 ESXi Host: 10.237.98.147 ESXi Host: 10.237.98.148
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
What if there is an intermediary switch layer…?
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Define static PVLANs for VMM Domains
Add PVLANs to
UCSM
Spine-201 Spine-202
Leaf-101 Leaf-102
Intermediary switch
layer
hx-prod-fi-a hx-prod-fi-b
Map VLANs to
VMM Domain(s)
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Specify PVLANs for VMM domain
Spine-201 Spine-202
Leaf-101 Leaf-102
Intermediary switch
layer
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Security across Bridge Domains with ESGs
EPG Security vs ESG Security
Bridge Domain with 1x Bridge Domain with 1x Bridge Domain with multiple
ACI foundational building blocks: subnet and 1x EPG/vlan subnet and multiple subnets and multiple
EPGs/vlans EPGs/vlans
• A Tenant provides an RBAC boundary typically linked to a business
function tn-demo
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
How do you map Endpoints into an ESG…?
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Select a Design Pattern, then enable Proxy ARP and
map your Endpoints to the ESG…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Design Patterns
tn-demo tn-shared-services
vrf-01 vrf-01
BD subnet(s) BD subnet(s)
AP
tn-demo
Network EPG EPG
VLAN VLAN
Segments (Security isolation per
Bridge Domain)
(Security isolation per
Bridge Domain)
vrf-01 Network team controls
BD subnet(s) BD subnet(s) inbound/outbound routing
EPG EPG
VLAN VLAN AP
(Security isolation per (Security isolation per
Network EPG EPG
Bridge Domain) Bridge Domain) VLAN VLAN
Segments (Security isolation per (Security isolation per
Bridge Domain) Bridge Domain)
AP
EPG EPG
VLAN VLAN
Apps ESG (Security isolation per (Security isolation per
(Optional) Bridge Domain) Bridge Domain)
Security isolation across Bridge Domains
AP
Apps ESG
EPG and ESG in the “user” Tenant with a (Optional)
Security isolation across Bridge Domains
dedicated L3out
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Design Patterns
Network team controls
inbound/outbound routing
tn-common tn-shared-services tn-common
AP
tn-demo tn-common
Network EPG EPG
VLAN VLAN
BD subnet(s) BD subnet(s) common.vrf-01 Segments (Security isolation per (Security isolation per
Bridge Domain) Bridge Domain)
AP BD subnet(s)
Network EPG EPG EPG EPG
VLAN VLAN VLAN VLAN
Segments (Security isolation per (Security isolation per (Security isolation per (Security isolation per
Bridge Domain) Bridge Domain) Bridge Domain) Bridge Domain)
EPG EPG
VLAN VLAN tn-demo tn-test
(Security isolation per (Security isolation per
Bridge Domain) Bridge Domain) AP AP
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
How do you enable Proxy ARP on the Leaf Switches…?
Enabling “Allow Micro-Segmentation”
automatically enables Proxy ARP.
Option in a 100% virtual deployment, use
with or without Intra EPG isolation
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Tag vs Static Mapping MAC Policy Tag
vCenter Tag mapping
requires VRF mapping
IP Policy Tag requires Silent hosts Policy Tag Virtual machine name
VRF mapping requires EPG mapping mapping
vrf-01
ESG
my-endpoint-security-group
192.168.150.11
(fvEPSelector)
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Dynamic Policy Tag matching from vCenter
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Static Policy Tags on APIC
Static Endpoints
IP address ranges
MAC addresses
IP addresses
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Selector Precedence
For Switched Traffic:
Precedence Order Selector
1 Tag Selector (Endpoint MAC Tag)
Tag Selector (Static Endpoint)
2 Tag Selector (VMM Endpoint MAC Tag)
3 EPG Selector
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
ESG Contract Matrix
Source/Destination Source/Destination* Supported
ESG ESG Yes
ESG EPG No**
ESG L3out extEPG Yes
ESG Shared L3out extEPG Yes
ESG Preferred Group No
ESG vzAny Yes
*includes L4-L7 Service Graphs
**use EPG → ESG mapping
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
ESGs: The Hidden Details
Policy Tags on BD Subnets (subset of a subnet)
• If only a subset of the BD subnet needs to be A subset of the subnet to ESG A
classified to an ESG, you can configure a BD 1
smaller subnet in the same BD with “No • 192.168.1.254/24 Policy Tag
Owner: DevOps
Default SVI Gateway” option. • 192.168.1.0/30
• No Default SVI Gateway
Then attach a policy tag to the smaller subnet.
EPG EPG
• “No Default SVI Gateway” prevents the 1-1 1-2
additional subnet with this config from being
MAC A1 MAC B
deployed as an SVI on leaf nodes. 192.168.1.1 192.168.1.2
MAC A2
NOTE:
192.168.1.11
this config still deploys a BD route pointing to spine-
proxy for 192.168.1.0/30. Although this itself doesn’t Tag Selector
Key: Owner
impact any forwarding behavior, it consumes an LPM
Operator: Equals
table entry.
If many of such configs are expected, consider using IP
ESG A Value: DevOps
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Tag selector (with BD subnets) or IP Subnet selector?
Tag selector (new) IP Subnet selector (existing)
When non-IP based classifications need to be used When the BD is under tenant common while the
together. EPGs and ESGs are in a user tenant.
➢ One tag selector can manage endpoints through ➢ Tag selectors match policy tags only within the
different types of criteria (objects) same tenant. Use IP subnet selectors instead.
Policy Tag
Owner: DevOps
BD 1 BD 2 BD 1 (tn-common) Policy Tag
BD3 192.168.1.254/24 Owner: DevOps
192.168.1.254/24 192.168.2.254/24
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Policy Tags on endpoint IPs
• It is difficult to assign a policy tag on each endpoint directly
because endpoints are dynamically learned and aged out.
BD 1 BD 2
• APIC 5.2(1) introduced a new object (Endpoint IP Tag) to 192.168.1.254/24 192.168.2.254/24
represent an endpoint IP address so that policy tags can be
assigned and maintained even when the endpoint is not learned EPG EPG
EPG 2
yet, or even after the endpoint ages out. 1-1 1-2
MAC A1 MAC B MAC C
• By matching a policy tag assigned to an endpoint IP tag, a tag 192.168.1.1 192.168.1.2 192.168.2.1
selector can classify the specific endpoint IP address to an ESG
MAC A2 Policy Tag
in the same VRF. 192.168.1.11 Owner: DevOps
Tag Selector
Guidelines: Key: Owner
• The Endpoint IP Tag must be in the same tenant and the same Operator: Equals
VRF as the ESG.
ESG A Value: DevOps
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Policy Tags on endpoint MACs
• It is difficult to assign a policy tag on each endpoint directly
because endpoints are dynamically learned and aged out.
BD 1 BD 2
• APIC 5.2(1) introduced a new object (Endpoint MAC Tag) to 192.168.1.254/24 192.168.2.254/24
represent an endpoint MAC address so that policy tags can be
assigned and maintained even when the endpoint is not EPG EPG
Policy Tag
EPG 2
learned yet, or even after the endpoint ages out. 1-1 1-2 DevOps
Owner:
Tag Selector
Guidelines: Key: Owner
• The Endpoint MAC Tag must be in the same tenant and the Operator: Equals
same VRF as the ESG.
ESG A Value: DevOps
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Policy Tags on VMM endpoint MACs
• APIC 5.2(1) introduced a new object (VMM Endpoint MAC Tag) to
represent an endpoint MAC address discovered through VMM
integration.
BD 1
192.168.1.254/24
• APIC will translate some information of VMs through VMM integration EPG EPG EPG
into ACI policy tags. 1-1 1-2 1-3 Policy Tag
Owner: DevOps
Supported on 5.2(1):
• VMware VM name MAC A1 MAC B MAC C
192.168.1.1 192.168.1.2 192.168.1.3
• (key: __vmm::vmname, value: <VM name>)
• VMware Tag MAC A2
192.168.1.11
• (key: <category>, value: <tag name>)
Tag Selector
Key: Owner
• By matching a policy tag assigned to a VMM endpoint MAC tag, a tag Operator: Equals
selector can classify the entire endpoint (MAC and associated IPs) to ESG A Value: DevOps
a given ESG in the same VRF.
Endpoint A1 and C along with
Guidelines:
• The VMM Endpoint MAC Tag must be in the same tenant and the
their IPs belong to ESG A.
same VRF as the ESG.
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Policy Tags on Static Endpoint
• Essentially the same as Endpoint MAC tags.
• APIC allows users to configure policy tags directly on an
existing static endpoint instead of configuring another object BD 1 BD 2
(Endpoint MAC tag) for the same MAC. 192.168.1.254/24 192.168.2.254/24
• If you prefer managing all policy tags for static and non-static EPG EPG
Policy TagEPG 2
endpoints in one location (Endpoint MAC tag), you can 1-1 1-2 Owner: DevOps
configure an Endpoint Mac tag for the static endpoint MAC
MAC A1 MAC B Static EP
instead of assigning policy tags on static endpoint config. 192.168.1.1 192.168.1.2 MAC C
192.168.1.3
MAC A2
Guidelines: 192.168.1.11
• The static endpoint with policy tags must be in the same tenant
Tag Selector
and the same VRF as the ESG. Key: Owner
• Only type silent host is supported. Operator: Equals
• Configuring policy tags on both static endpoint and Endpoint
ESG A Value: DevOps
MAC tag for the same MAC is not allowed.
Endpoint C along with their
IPs belong to ESG A.
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
L2 Traffic Limitation with IP-based selectors
• Scenario 1: • Scenario 3:
• MAC_A is matched by a selector of ESG 1 • MAC_A is _not_ matched by any ESG
• IP_A is _not_ matched by any ESG • IP_A is matched by a selector of ESG 2
• Result: • Result:
• Both MAC_A and IP_A are classified to ESG 1 • MAC_A is _not_ classified to any ESG, and still
belongs to the original EPG.
• IP_A is classified to ESG 2
• Scenario 2:
• MAC_A is matched by a selector of ESG 1 When only IP-based selectors are used, MAC addresses are
• IP_A is matched by a selector of ESG 2 not classified to ESGs.
• Result: • Switching traffic (i.e. within the same subnet) will not use
ESG contracts even if its payload has the IP address
• MAC_A is classified to ESG 1 classified to an ESG.
• If the two IPs in the same subnet from the same EPG are
• IP_A is classified to ESG 2
classified to different ESGs, those two endpoints can still
talk freely through the MAC and its original EPG.
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Workarounds for L2 Traffic Limitation
Proxy ARP (on all original EPGs)
• Proxy ARP makes sure that all traffic from the EPGs will be handled as a routing traffic. This means that all
traffic uses the pcTag of IP. It does no longer matter whether the MAC still belongs to the original EPG.
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Prepare the fabric for L4-7 Service
Insertion
ACI Endpoint Update App (optional)
https://dcappcenter.cisco.com/aci-endpoint-update.html
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Where should you place your L4-7 devices…?
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
“common” tenant, “shared-services” tenant, or
“workload/user” tenant…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Virtual firewall deployment
tn-shared-services
tn-ciscolive
ftdv-04-eth5-gig-0-2
vrf: tn-ciscolive ftdv-04-eth5-gig-0-2
vrf: tn-ciscolive
Imported firewall
ftdv-04-eth6-gig-0-3 tn-demo
vrf: tn-ssharman
ftdv-04
ftdv-04-eth7-gig-0-4
ftdv-04-eth7-gig-0-4 vrf: tn-demo
vrf: tn-demo
Imported firewall
VRF aware firewalls defined in “shared-
services” and exported to “user” tenants
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Step 1: Define the Policy Based Redirect Target
Name of redirect
policy
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Step 2: Define Service Graph Template and Device
Selection Policy Firewall interface and Bridge
Domain for the Consumer
interface
PBR target
PBR target
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Step 3: Apply Service Graph to Contract Subject
tn-demo
vrf-01
AP
online- ESG
boutique
ad-service
C CCI I P
Cont
ESG provides a contract
permit-to-ad-service
“permit-to-ad-service”
Subj
Redirect
(L4-L7 Service Graph)
Service Graph is deployed
Service Graph Filt
once the contract is
applied to contract
consumed
permit-any
subject Entry
ftdv-04-eth7-gig-0-4
Any vrf: tn-demo
(unspecified)
Service Graph
redirect
Contract and
Subject
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
External Connectivity…
Each Tenant has their own IP Range
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Where should you place your L3outs…?
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
“common” tenant, “shared-services” tenant, or
“workload/user” tenant…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
External Connectivity
tn-demo tn-shared-services tn-common
AP AP
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Or even a combined solution…!
Large subnets can be
shared across Tenants
tn-shared-services
VRFs
tn-common
common.vrf-01
BD subnet(s)
tn-demo tn-test
AP AP
EPG EPG
VLAN VLAN
(Security isolation per (Security isolation per
Bridge Domain) Bridge Domain)
AP AP
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Dedicated L3out
External Device External Device
Bridge Domains set to
advertise subnet
tn-demo
vrf-01
network-
segments
192.168.150.0_24 192.168.151.0_24 192.168.152.0_24
L3out
vrf-01-ospf-area—0.0.0.1
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Option 2 – Shared L3out
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Shared L3out Route Leaking
External Device External Device
Bridge Domains set to
advertise and share subnet
tn-shared-services tn-demo
vrf-01 vrf-01
network-
segments
192.168.150.0_24 192.168.151.0_24 192.168.152.0_24
L3out
vrf-01-ospf-area—0.0.0.1
Route leak
between VRFs
AP online-boutique
ESG
extEPG
vrf-01-all-ext-subnets all-services
C CCI I P
C CCI I P
Subnets
IP Address: 0.0.0.0/1
128.0.0.0/1
Classifier 0.0.0.0/1
and 128.0.0.0/1
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Shared L3out Route Leaking
External Device External Device
tn-shared-services tn-demo
vrf-01 vrf-01
network-
segments
192.168.150.0_24 192.168.151.0_24 192.168.152.0_24
L3out
Prefix to leak Target Tenants
vrf-01-ospf-area—0.0.0.1
Route leak
between VRFs
AP online-boutique
ExternalextEPG
Prefixes ESG
vrf-01-all-ext-subnets all-services
C CCI I P
C CCI I P
Subnets
Subnets to leak Target Tenants
IP Address: 0.0.0.0/1
128.0.0.0/1
Bridge Domain
Subnets
*arrows indicates direction of traffic flow i.e. from consumer to provider
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Shared L3out External Contracts
External Device External Device
tn-shared-services tn-demo
vrf-01 vrf-01
network-
segments
192.168.150.0_24 192.168.151.0_24 192.168.152.0_24
L3out
vrf-01-ospf-area—0.0.0.1
Route leak
between VRFs
AP online-boutique
Consumed
Subnets Contract Interface Contract Provider
IP Address: 0.0.0.0/1
128.0.0.0/1
Cont Cont
Scope: External Subnets for the extEPG permit-to-tn-demo-online-boutique permit-to-tn-demo-online-boutique
Shared Route Control Subnet (scope = global, exported = yes) (scope = global, exported = yes)
Shared Security Import Subnet
Classifier 0.0.0.0/1
and 128.0.0.0/1
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Why are we classifying with 0.0.0.0/1 and
128.0.0.0/1…?
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Non dedicated border Leafs
Upstream
network
L3outs to
external routers
hx-prod-fi-a hx-prod-fi-b
Workloads attached
to border Leafs
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Shared L3out as Provider aci-dev-01-apic-01# fabric 101 show ip route vrf ssharman:vrf-01
----------------------------------------------------------------
Node 101 (aci-dev-01-leaf-101)
External Device External Device ----------------------------------------------------------------
0.0.0.0/0, ubest/mbest: 1/0
*via 10.237.99.234%shared-services:vrf-01, eth1/7, ... rwVnid: vxlan-2129920
tn-demo !
tn-shared-services !output truncated
Default route via shared-
vrf-01 (2555904)
vrf-01 (2129920) services:vrf-01
C CCI I P
EPG
Path 101/1/7 Path 102/1/7 Cont vzAny
10.237.99.233/30 10.237.99.237/30 (software updates)
shared-services.vrf-01-all-ext-subnets
(scope = global, imported = yes)
L3out
vrf-01-ospf-area—0.0.0.1
IP Address: 0.0.0.0/0
Cont
shared-services.vrf-01-all-ext-subnets Cont EPG
Scope: External Subnets for the extEPG (scope = global, exported = yes) shared-services.vrf-01-all-ext-subnets
Shared Route Control Subnet vzAny
(scope = global, imported = yes) (software updates)
Shared Security Import Subnet
C CCI I P
aci-dev-01-apic-01# fabric 101 show ip route vrf shared-services:vrf-01 aci-dev-01-apic-01# fabric 101 show ip route vrf ssharman:vrf-01
---------------------------------------------------------------- ----------------------------------------------------------------
Node 101 (aci-dev-01-leaf-101) Node 101 (aci-dev-01-leaf-101)
---------------------------------------------------------------- ----------------------------------------------------------------
0.0.0.0/0, ubest/mbest: 1/0 0.0.0.0/0, ubest/mbest: 1/0
*via 10.237.99.234, eth1/7, ... ospf-default, type-2, tag 1 *via 10.237.99.234%shared-services:vrf-01, eth1/7, ... rwVnid: vxlan-2129920
10.237.99.160/28, ubest/mbest: 1/0, attached, direct, pervasive !
*via 10.1.176.66%overlay-1, ... static, tag 4294967292, rwVnid: vxlan-2555904
10.237.99.176/28, ubest/mbest: 1/0, attached, direct, pervasive
!output truncated
Default route via shared-
*via 10.1.176.66%overlay-1, ... static, tag 4294967292, rwVnid: vxlan-3047426
services:vrf-01
Default route to external network,
routes to Tenant subnets via overlay-1 BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Shared L3out as Consumer aci-dev-01-apic-01# fabric 101 show ip route vrf ssharman:vrf-01
----------------------------------------------------------------
Node 101 (aci-dev-01-leaf-101)
External Device External Device ----------------------------------------------------------------
0.0.0.0/0, ubest/mbest: 1/0
*via 10.237.99.234%shared-services:vrf-01, eth1/7, ... rwVnid: vxlan-2129920
tn-demo !
tn-shared-services !output truncated
Default route via shared-
vrf-01 (2555904)
vrf-01 (2129920) services:vrf-01
C CCI I P
EPG
Path 101/1/7 Path 102/1/7 Cont vzAny
10.237.99.233/30 10.237.99.237/30 (software updates)
permit-to-tn-demo
(scope = global, exported = yes)
L3out
vrf-01-ospf-area—0.0.0.1
aci-dev-01-apic-01# fabric 101 show ip route vrf shared-services:vrf-01 aci-dev-01-apic-01# fabric 101 show ip route vrf ssharman:vrf-01
---------------------------------------------------------------- ----------------------------------------------------------------
Node 101 (aci-dev-01-leaf-101) Node 101 (aci-dev-01-leaf-101)
---------------------------------------------------------------- ----------------------------------------------------------------
0.0.0.0/0, ubest/mbest: 1/0 0.0.0.0/0, ubest/mbest: 1/0
*via 10.237.99.234, eth1/7, ... ospf-default, type-2, tag 1 *via 10.237.99.234%shared-services:vrf-01, eth1/7, ... rwVnid: vxlan-2129920
10.237.99.160/28, ubest/mbest: 1/0, attached, direct, pervasive !
*via 10.1.176.66%overlay-1, ... static, tag 4294967292, rwVnid: vxlan-2555904
10.237.99.176/28, ubest/mbest: 1/0, attached, direct, pervasive
!output truncated
Default route via shared-
*via 10.1.176.66%overlay-1, ... static, tag 4294967292, rwVnid: vxlan-3047426
services:vrf-01
Default route to external network,
routes to Tenant subnets via overlay-1 BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Let’s understand what’s happening…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
First, we need the ClassID or pcTag of the extEPG…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Get Class ID of the External EPG
aci-dev-01-apic-01# moquery -c l3extInstP -f 'l3ext.InstP.name=="all-external-subnets"' | egrep "^name|^pcTag|^dn|^scope"
name : all-external-subnets
dn : uni/tn-shared-services/out-shared-services.vrf-01-ospf-area-0.0.0.1/instP-all-external-subnets
nameAlias : PcTag Category Name PcTag Range
pcTag : 41
pcTagAllocSrc
scope
: idmanager
: 2129920 shared-services:vrf-01 System 1-15
extEPG uses VXLAN Encap Global 16-16385
2129920 and pcTag 41
Local (to VRF) 16386-65535
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Get VRF scopes and Class IDs
aci-dev-01-apic-01# show vrf vrf-01 detail | grep shared- -B 4 -A 1
VRF Information:
Tenant VRF VXLAN Encap Policy Enforced Policy Tag Consumed Contracts Provided Contracts Description PcTag Category Name PcTag Range
---------- ---------- ---------- ---------- ---------- -------------------- -------------------- ----------------------------------------
shared- vrf-01 2129920 enforced 46 - -
System 1-15
services- shared-services:vrf-01 uses
VXLAN Encap 2129920 and Global 16-16385
aci-dev-01-apic-01# show vrf vrf-01 detail | grep demo -B 4 -A 1 pcTag 46
Local (to VRF) 16386-65535
VRF Information:
Tenant VRF VXLAN Encap Policy Enforced Policy Tag Consumed Contracts Provided Contracts Description
---------- ---------- ---------- ---------- ---------- -------------------- -------------------- ----------------------------------------
demo vrf-01 2555904 enforced 49153 - -
demo:vrf-01 uses VXLAN shared-services:vrf-01 uses
Encap 2555904 and a pcTag from the Global
aci-dev-01-apic-01# show vrf vrf-01 detail | grep ssharman -B 4 A 1
pcTag 49153 range
VRF Information:
Tenant VRF VXLAN Encap Policy Enforced Policy Tag Consumed Contracts Provided Contracts Description
---------- ---------- ---------- ---------- ---------- -------------------- -------------------- ----------------------------------------
ssharman vrf-01 3047426 enforced 49153 - -
demo:vrf-01 uses VXLAN
Encap 3047426 and
pcTag 49153
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Let’s check the VRF zoning-rules…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Check the zoning rules for the shared VRF extEPG
aci-dev-01-apic-01# fabric 101 show zoning-rule scope 2129920 src-epg 41
----------------------------------------------------------------
Node 101 (aci-dev-01-leaf-101)
---------------------------------------------------------------- SrcEPG /DstEPG 41 = VRF extEPG ClassID
+---------+--------+--------+----------+----------------+---------+---------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope |
+---------+--------+--------+----------+----------------+---------+---------+
+---------+--------+--------+----------+----------------+---------+---------+
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Check the zoning rules for the shared VRF
aci-dev-01-apic-01# fabric 101 show zoning-rule scope 2129920 src-epg 46
----------------------------------------------------------------
Node 101 (aci-dev-01-leaf-101)
----------------------------------------------------------------
SrcEPG /DstEPG 46 = VRF ClassID
+---------+--------+--------+----------+---------+---------+---------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope |
+---------+--------+--------+----------+---------+---------+---------+
| 4359 | 46 | 14 | implicit | uni-dir | enabled | 2129920 |
| 4293 | 46 | 0 | default | uni-dir | enabled | 2129920 |
+---------+--------+--------+----------+---------+---------+---------+
There are zoning rules
aci-dev-01-apic-01# fabric 101 show zoning-rule scope 2129920 dst-epg 46 to the VRF
---------------------------------------------------------------- (Output truncated)
Node 101 (aci-dev-01-leaf-101)
----------------------------------------------------------------
+---------+--------+--------+----------+-----+--------+-------+------+--------+----------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+-----+--------+-------+------+--------+----------+
+---------+--------+--------+----------+-----+--------+-------+------+--------+----------+
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Check the zoning rules for the shared VRF and extEPG
aci-dev-01-apic-01# fabric 101 show zoning-rule scope 2129920 src-epg 46
---------------------------------------------------------------- DstEPG 14 = all EPGs/ESGs which
Node 101 (aci-dev-01-leaf-101)
are consumers of shared services
SrcEPG /DstEPG 46 = VRF ClassID
----------------------------------------------------------------
+---------+--------+--------+----------+---------+---------+---------+---------------------------------------------------------+-----------------+------------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+---------+---------+---------+---------------------------------------------------------+-----------------+------------------------+
| 4359 | 46 | 14 | implicit | uni-dir | enabled | 2129920 | | permit_override | src_dst_any(9) |
| 4293 | 46 | 0 | default | uni-dir | enabled | 2129920 | shared-services:shared-services.vrf-01-all-ext-subnets | permit | shsrc_any_any_perm(11) |
+---------+--------+--------+----------+---------+---------+---------+---------------------------------------------------------+-----------------+------------------------+
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Why are there no zoning rules for the extEPG…?
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Setting a scope of 0.0.0.0/0 triggers “system” pcTag 15
aci-dev-01-apic-01# fabric 101 show zoning-rule scope 2129920 src-epg 15
----------------------------------------------------------------
Node 101 (aci-dev-01-leaf-101)
---------------------------------------------------------------- SrcEPG /DstEPG 15 = system classifier
+---------+--------+--------+----------+-----+--------+-------+------+--------+----------+ for all remote subnets
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+-----+--------+-------+------+--------+----------+
+---------+--------+--------+----------+-----+--------+-------+------+--------+----------+
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Setting a scope of 0.0.0.0/0 triggers “system” pcTag 15
aci-dev-01-apic-01# fabric 101 show zoning-rule scope 2129920 src-epg 15
----------------------------------------------------------------
Node 101 (aci-dev-01-leaf-101)
----------------------------------------------------------------
+---------+--------+--------+----------+-----+--------+-------+------+--------+----------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+-----+--------+-------+------+--------+----------+ pcTag 15 is a “system” pcTag which is triggered when 0.0.0.0/0 is used
+---------+--------+--------+----------+-----+--------+-------+------+--------+----------+ for the external subnet classifier.
aci-dev-01-apic-01# fabric 101 show zoning-rule scope 2129920 dst-epg 15 When 0.0.0.0/0 is configured, the source class is set to the VRF Class ID
----------------------------------------------------------------
Node 101 (aci-dev-01-leaf-101)
----------------------------------------------------------------
+---------+--------+--------+----------+---------+---------+---------+---------------------------------------------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+---------+---------+---------+---------------------------------------------------------+----------+----------------------+
| 4370 | 0 | 15 | default | uni-dir | enabled | 2129920 | shared-services:shared-services.vrf-01-all-ext-subnets | permit | any_dest_any(16) |
| 4498 | 0 | 15 | implicit | uni-dir | enabled | 2129920 | | deny,log | any_vrf_any_deny(22) |
+---------+--------+--------+----------+---------+---------+---------+---------------------------------------------------------+----------+----------------------+
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Let’s check the target tenants zoning rules…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Check the zoning rules for the demo VRF
aci-dev-01-apic-01# fabric 101 show zoning-rule scope 2555904 src-epg 46 SrcEPG = shared services VRF
---------------------------------------------------------------- DstEPG = all EPGs/ESGs which are consumers of shared services
Node 101 (aci-dev-01-leaf-101)
----------------------------------------------------------------
+---------+--------+--------+----------+---------+---------+---------+--------------------------------------------------------+--------+------------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+---------+---------+---------+--------------------------------------------------------+--------+------------------------+
| 4263 | 46 | 0 | default | uni-dir | enabled | 2555904 | shared-services:shared-services.vrf-01-all-ext-subnets | permit | shsrc_any_any_perm(11) |
+---------+--------+--------+----------+---------+---------+---------+--------------------------------------------------------+--------+------------------------+
aci-dev-01-apic-01# fabric 101 show zoning-rule scope 2555904 dst-epg 15 SrcEPG = vzAny
---------------------------------------------------------------- DstEPG = all extEPGs with 0.0.0.0/0
Node 101 (aci-dev-01-leaf-101)
----------------------------------------------------------------
+---------+--------+--------+----------+---------+---------+---------+--------------------------------------------------------+----------+----------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+---------+---------+---------+--------------------------------------------------------+----------+----------------------+
| 4307 | 0 | 15 | default | uni-dir | enabled | 2555904 | shared-services:shared-services.vrf-01-all-ext-subnets | permit | any_dest_any(16) |
| 4465 | 0 | 15 | implicit | uni-dir | enabled | 2555904 | | deny,log | any_vrf_any_deny(22) |
+---------+--------+--------+----------+---------+---------+---------+--------------------------------------------------------+----------+----------------------+
aci-dev-01-apic-01#
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Check the zoning rules for the demo VRF
aci-dev-01-apic-01# fabric 101 show zoning-rule scope 2555904 dst-epg 14
----------------------------------------------------------------
Node 101 (aci-dev-01-leaf-101)
----------------------------------------------------------------
+---------+--------+--------+----------+-----+--------+-------+------+--------+----------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+-----+--------+-------+------+--------+----------+
+---------+--------+--------+----------+-----+--------+-------+------+--------+----------+
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
How should we resolve the unexpected
communication…?
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Shared L3out as Provider aci-dev-01-apic-01# fabric 101 show ip route vrf ssharman:vrf-01
----------------------------------------------------------------
Node 101 (aci-dev-01-leaf-101)
External Device External Device ----------------------------------------------------------------
0.0.0.0/0, ubest/mbest: 1/0
*via 10.237.99.234%shared-services:vrf-01, eth1/7, ... rwVnid: vxlan-2129920
tn-demo !
tn-shared-services !output truncated
Default route via shared-
vrf-01 (2555904)
vrf-01 (2129920) services:vrf-01
C CCI I P
EPG
Path 101/1/7 Path 102/1/7 Cont vzAny
10.237.99.233/30 10.237.99.237/30 (software updates)
shared-services.vrf-01-all-ext-subnets
(scope = global, imported = yes)
L3out
vrf-01-ospf-area—0.0.0.1
IP Address: 0.0.0.0/1
Cont
128.0.0.0/1
shared-services.vrf-01-all-ext-subnets Cont EPG
Scope: External Subnets for the extEPG (scope = global, exported = yes) shared-services.vrf-01-all-ext-subnets
Shared Route Control Subnet vzAny
(scope = global, imported = yes) (software updates)
Shared Security Import Subnet
C CCI I P
aci-dev-01-apic-01# fabric 101 show ip route vrf shared-services:vrf-01 aci-dev-01-apic-01# fabric 101 show ip route vrf ssharman:vrf-01
---------------------------------------------------------------- ----------------------------------------------------------------
Node 101 (aci-dev-01-leaf-101) Node 101 (aci-dev-01-leaf-101)
---------------------------------------------------------------- ----------------------------------------------------------------
0.0.0.0/0, ubest/mbest: 1/0 0.0.0.0/0, ubest/mbest: 1/0
*via 10.237.99.234, eth1/7, ... ospf-default, type-2, tag 1 *via 10.237.99.234%shared-services:vrf-01, eth1/7, ... rwVnid: vxlan-2129920
10.237.99.160/28, ubest/mbest: 1/0, attached, direct, pervasive !
*via 10.1.176.66%overlay-1, ... static, tag 4294967292, rwVnid: vxlan-2555904
10.237.99.176/28, ubest/mbest: 1/0, attached, direct, pervasive
!output truncated
Default route via shared-
*via 10.1.176.66%overlay-1, ... static, tag 4294967292, rwVnid: vxlan-3047426
services:vrf-01
Default route to external network,
routes to Tenant subnets via overlay-1 BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Shared L3out as Consumer aci-dev-01-apic-01# fabric 101 show ip route vrf ssharman:vrf-01
----------------------------------------------------------------
Node 101 (aci-dev-01-leaf-101)
External Device External Device ----------------------------------------------------------------
0.0.0.0/0, ubest/mbest: 1/0
*via 10.237.99.234%shared-services:vrf-01, eth1/7, ... rwVnid: vxlan-2129920
tn-demo !
tn-shared-services !output truncated
Default route via shared-
vrf-01 (2555904)
vrf-01 (2129920) services:vrf-01
C CCI I P
EPG
Path 101/1/7 Path 102/1/7 Cont vzAny
10.237.99.233/30 10.237.99.237/30 (software updates)
permit-to-tn-demo
(scope = global, exported = yes)
L3out
vrf-01-ospf-area—0.0.0.1
Subnets Cont
vrf-01 (3047426)
aci-dev-01-apic-01# fabric 101 show ip route vrf shared-services:vrf-01 aci-dev-01-apic-01# fabric 101 show ip route vrf ssharman:vrf-01
---------------------------------------------------------------- ----------------------------------------------------------------
Node 101 (aci-dev-01-leaf-101) Node 101 (aci-dev-01-leaf-101)
---------------------------------------------------------------- ----------------------------------------------------------------
0.0.0.0/0, ubest/mbest: 1/0 0.0.0.0/0, ubest/mbest: 1/0
*via 10.237.99.234, eth1/7, ... ospf-default, type-2, tag 1 *via 10.237.99.234%shared-services:vrf-01, eth1/7, ... rwVnid: vxlan-2129920
10.237.99.160/28, ubest/mbest: 1/0, attached, direct, pervasive !
*via 10.1.176.66%overlay-1, ... static, tag 4294967292, rwVnid: vxlan-2555904
10.237.99.176/28, ubest/mbest: 1/0, attached, direct, pervasive
!output truncated
Default route via shared-
*via 10.1.176.66%overlay-1, ... static, tag 4294967292, rwVnid: vxlan-3047426
services:vrf-01
Default route to external network,
routes to Tenant subnets via overlay-1 BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
So, what’s changed…?
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Get VRF scopes and Class IDs
aci-dev-01-apic-01# show vrf vrf-01 detail | grep shared- -B 4 -A 1
VRF Information:
Tenant VRF VXLAN Encap Policy Enforced Policy Tag Consumed Contracts Provided Contracts Description PcTag Category Name PcTag Range
---------- ---------- ---------- ---------- ---------- -------------------- -------------------- ----------------------------------------
shared-
services-
vrf-01 2129920 enforced 16386 - -
System 1-15
VRF Information:
Tenant VRF VXLAN Encap Policy Enforced Policy Tag Consumed Contracts Provided Contracts Description
---------- ---------- ---------- ---------- ---------- -------------------- -------------------- ----------------------------------------
ssharman vrf-01 3047426 enforced 49153 - -
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Get Class ID of the External EPG
aci-dev-01-apic-01# moquery -c l3extInstP -f 'l3ext.InstP.name=="all-external-subnets"' | egrep "^name|^pcTag|^dn|^scope"
name : all-external-subnets
dn : uni/tn-shared-services/out-shared-services.vrf-01-ospf-area-0.0.0.1/instP-all-external-subnets
nameAlias : PcTag Category Name PcTag Range
pcTag : 41
pcTagAllocSrc
scope
: idmanager
: 2129920 shared-services:vrf-01 System 1-15
extEPG uses VXLAN Encap Global 16-16385
2129920 and pcTag 41
Local (to VRF) 16386-65535
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Check the zoning rules for the shared VRF
aci-dev-01-apic-01# fabric 101 show zoning-rule scope 2129920 src-epg 16386
----------------------------------------------------------------
Node 101 (aci-dev-01-leaf-101)
----------------------------------------------------------------
SrcEPG /DstEPG 16386 = VRF ClassID
+---------+--------+--------+----------+---------+---------+---------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope |
+---------+--------+--------+----------+---------+---------+---------+
+---------+--------+--------+----------+---------+---------+---------+
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Check the zoning rules for the shared VRF extEPG
aci-dev-01-apic-01# fabric 101 show zoning-rule scope 2129920 src-epg 41
----------------------------------------------------------------
Node 101 (aci-dev-01-leaf-101)
---------------------------------------------------------------- SrcEPG /DstEPG 41 = VRF extEPG ClassID
+---------+--------+--------+----------+----------------+---------+---------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope |
+---------+--------+--------+----------+----------------+---------+---------+
| 4301 | 41 | 14 | implicit | uni-dir | enabled | 2129920 |
| 4466 | 41 | 0 | default | uni-dir-ignore | enabled | 2129920 |
+---------+--------+--------+----------+----------------+---------+---------+
aci-dev-01-apic-01# fabric 101 show zoning-rule scope 2129920 dst-epg 41 Output truncated
----------------------------------------------------------------
Node 101 (aci-dev-01-leaf-101)
----------------------------------------------------------------
+---------+--------+--------+----------+----------------+---------+---------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope |
+---------+--------+--------+----------+----------------+---------+---------+
| 4487 | 0 | 41 | default | bi-dir | enabled | 2129920 |
+---------+--------+--------+----------+----------------+---------+---------+
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Do not use 0.0.0.0/0 in route leaking design…!
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Check the zoning rules for the shared VRF and extEPG
aci-dev-01-apic-01# fabric 101 show zoning-rule scope 2129920 src-epg 16386
----------------------------------------------------------------
Node 101 (aci-dev-01-leaf-101)
----------------------------------------------------------------
+---------+--------+--------+----------+---------+---------+---------+---------------------------------------------------------+-----------------+------------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+---------+---------+---------+---------------------------------------------------------+-----------------+------------------------+
+---------+--------+--------+----------+---------+---------+---------+---------------------------------------------------------+-----------------+------------------------+
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Let’s check the target tenants zoning rules…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Check the zoning rules for the demo VRF
aci-dev-01-apic-01# fabric 101 show zoning-rule scope 2555904 src-epg 41 SrcEPG = shared services extEPG
---------------------------------------------------------------- DstEPG = vsAny
Node 101 (aci-dev-01-leaf-101)
----------------------------------------------------------------
+---------+--------+--------+----------+----------------+---------+---------+--------------------------------------------------------+----------+------------------------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+----------------+---------+---------+--------------------------------------------------------+----------+------------------------+
| 4305 | 41 | 0 | default | uni-dir-ignore | enabled | 2555904 | shared-services:shared-services.vrf-01-all-ext-subnets | permit | shsrc_any_any_perm(11) |
| 4228 | 41 | 0 | implicit | uni-dir | enabled | 2555904 | | deny,log | shsrc_any_any_deny(12) |
+---------+--------+--------+----------+----------------+---------+---------+--------------------------------------------------------+----------+------------------------+
aci-dev-01-apic-01#
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Shared L3out tn-demo
vrf-01 (2555904)
External Device External Device
Cont
tn-ssharman
shared-services.vrf-01-all-ext-subnets
(scope = global, exported = yes) vrf-01 (3047426)
EPG
vzAny
(software updates)
C CCI I P
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Scenario 1 – Provider and multiple Consumer VRFs are
on the same Leaf with /0 mask
1. The packet from the source consumer VRF hits the contract for source EPG/ESG to pcTag 15 (extEPG with 0.0.0.0/0)
2. Since the leaf knows the egress port and destination VRF (shared), the packet will be sent out from that port without going through another lookup on the
destination VRF (shared)
5. The packet is allowed in the shared VRF because there are contracts between the VRF pcTag and 14 in the shared VRF
6. Just like step 2, the packet is sent out to the destination endpoint without going through another lookup in the destination consumer VRF because the leaf knows
the egress port and its destination VRF
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Scenario 2 – Provider and multiple Consumer VRFs are
on different Leafs with /0 mask
1. The packet from the source consumer VRF hits the contract for vzAny to 15
2. The packet reaches the shared VRF leaf. Another lookup happens. The forwarding points another leaf
3. The packet gets dropped because of a internal TCAM ACL rule (not a contract) that prevents traffic bouncing back to spines without a bounce entry
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
Scenario 1 – Provider and multiple Consumer VRFs are
on the same Leaf with /1 mask
1. The packet from the source consumer VRF hits the contract for source EPG/ESG to pcTag of extEPG with 0.0.0.0/1 and 128.0.0.0./1 mask
2. Since the leaf knows the egress port and destination VRF (shared), the packet will be sent out from that port without going through another lookup on the
destination VRF (shared)
5. The packet is allowed in the shared VRF because there are contracts between the VRF pcTag and 14 in the shared VRF
6. Just like step 2, the packet is sent out to the destination endpoint without going through another lookup in the destination consumer VRF because the leaf knows
the egress port and its destination VRF
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
Scenario 2 – Provider and multiple Consumer VRFs are
on different Leafs with /1 mask
1. The packet from the source consumer VRF hits the contract for source EPG/ESG to pcTag of extEPG with 0.0.0.0/1 and 128.0.0.0./1 mask
2. The packet reaches the shared VRF leaf. Another lookup happens. The forwarding points another leaf
3. The packet gets dropped because of a internal TCAM ACL rule (not a contract) that prevents traffic bouncing back to spines without a bounce entry
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Tightening Security…
Let’s tighten the contract to our online-boutique
application…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Tighten the contract to our online-boutique application…
Tighten the
contract rules Application Profile for EPG
demo
mapped Endpoint Security
vrf-01
Groups
AP epg-matched-esg
C CCI I
EPG
P Endpoint Security Policy ESG
vzAny
(allowing ICMP)
moved to the “all-services” network-segments
C CCI I P
ESG based on vCenter Tags C CCI I P
Single “network-segments”
Endpoint Security Group for all
BD 192.168.150.0_24 BD 192.168.151.0_24 BD 192.168.152.0_24
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Before we do that, let’s check our understanding on
how contracts work…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
How do contracts work…?
Outside Inside
ubuntu-01 ubuntu-02
frontend-svc cart-svc
ubuntu-01 C CCI I P C CCI I P ubuntu-02
192.168.150.21 192.168.151.21
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Consumer and Provider relationships are there to help you visualize the traffic
flow direction
i.e. (typically) from the consumer to the provider
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Contract structure…
ESG ESG
frontend-svc cart-svc
ubuntu-01 C CCI I P C CCI I P ubuntu-02
192.168.150.21 192.168.151.21
Cont
permit-to-cart-svc
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Verifying Contract operation with netcat – Stateful = No
tn-demo
vrf-01
Cont
ESG permit-to-ubuntu-02 ESG
ubuntu-01 ubuntu-02
ubuntu-01 C CCI I P C CCI I P ubunut-02
192.168.150.21 Subj
tcp 192.168.151.21
Stateful: No
Entry tcp-src-any-dst-7070
(Stateful: No)
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Verifying Contract operation with netcat – Stateful = Yes
tn-demo
vrf-01
Cont
ESG permit-to-ubuntu-02 ESG
ubuntu-01 ubuntu-02
ubuntu-01 C CCI I P C CCI I P ubunut-02
192.168.150.21 Subj
tcp 192.168.151.21
Stateful: Yes
Entry tcp-src-any-dst-7070
(Stateful: Yes)
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
Contr
permit-to-ubuntu-02
tcp
tcp-src-any-dst-7070
Entry
src=any | dst=7070
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
Reversing the Filter ports – Stateful = No
tn-demo
vrf-01
Cont
ESG permit-to-ubuntu-02 ESG
ubuntu-01 ubuntu-02
ubuntu-01 C CCI I P C CCI I P ubunut-02
192.168.150.21 Subj
tcp 192.168.151.21
Stateful: No
Source port must be Entry tcp-src-7070-dst-any
“7070” (Stateful: No)
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
Why would you want to reverse the Consumer
and Provider Filters…?
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
vzAny as a contract Provider
shared-services
vrf-01
ESG
core-services
Requirement is to permit ssh from core-
C CCI I P services to all endpoints in a given
tenant
Cont
Name: permit-from-core-services
Subject: tcp
Filter: tcp-src-any-dst-22
Exported: Yes
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
vzAny as a contract Provider
shared-services
vrf-01
ESG
core-services
Requirement is to permit ssh from core-
C CCI I P services to all endpoints in a given
tenant
Cont
Name: permit-from-core-services
Subject: tcp
Filter: tcp-src-any-dst-22
Exported: Yes
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
vzAny as a contract Consumer – Filters Reversed
shared-services
vrf-01
ESG
Requirement is to permit ssh from core-
Reverse the Filter ports in core-services
the Contract C CCI I P services to all endpoints in a given
Provide the
tenant
Cont
Contract
Name: permit-from-core-services
Subject: tcp
Filter: tcp-src-22-dst-any
Exported: Yes
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
vzAny as a contract Consumer – Filters Reversed
shared-services
vrf-01
ESG
Requirement is to permit ssh from core-
Reverse the Filter ports in core-services
the Contract C CCI I P services to all endpoints in a given
Provide the
tenant
Cont
Contract
Name: permit-from-core-services
Subject: tcp
Filter: tcp-src-22-dst-any
Exported: Yes
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
Let’s tighten the contract to our online-boutique
application…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
Tighten access to our online-boutique application…
External Device External Device
tn-shared-services
vrf-01
extEPG IP Address: 0.0.0.0/1 Cont
128.0.0.0/1
Name: permit-to-tn-demo-online-boutique
Imported: yes (from tn-demo)
Scope: External Subnets for the extEPG
Shared Route Control Subnet
Subject: tcp
Shared Security Import Subnet
Stateful: yes
C CCI I P Filter: tcp-src-any-dst-80
tcp-src-any-dst-8080
Route leak
tn-demo between VRFs
vrf-01
Cont Cont
to/from “core-services”
C CCI I P
Network-
segments
tn-demo:online-boutique
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
Contracts: The hidden details
Contract Scope
• The scope of a contract defines where a contract is relevant, there are four options:
• Application Profile– used to control traffic within an Application Profile
• VRF – used to control traffic between EPG/ESG within a VRF
• Tenant – used to control traffic between EPG/ESG across VRFs within a Tenant
• Global – used to control traffic between EPG/ESG in different Tenants/VRFs
• Contract definitions can be reused allowing you define once and reference many times
• Note: Exercise caution when reusing contract definitions at this can lead to unexpected communication
• Recommendation: define explicit contracts rather then n:1 reference
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
What are the components of a contract…?
Contr
Options:
permit-to-service Name and relevancy of the contract
Scope, Qos, DSCP, Tag
Options:
Apply Both Directions
Subj Reverse Filter Ports
tcp Collection of one or more Filters
Service Graph
QoS
DSCP
Filt Options:
Collection of one or more Filter Entries
tcp-src-any-dst-22 Tag
Options:
Entry Src / Dst ports
src=any | dst=22 Identification of an individual protocol and port
Flags
Stateful
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
Contract Scope = Application, Contract re-use = yes
tn-demo
vrf-01
AP online-boutique-v1
Cont
C CCI I P
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-svc-vm cart-svc-vm
C CCI I P C CCI I P
AP online-boutique-v2
Cont
C CCI I P
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-svc-vm cart-svc-vm
C CCI I P C CCI I P
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
Contract Scope = VRF, Contract re-use = yes
tn-demo
vrf-01
AP online-boutique-v1
Cont
C CCI I P
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-svc-vm cart-svc-vm
C CCI I P C CCI I P
Unexpected cross
communication
AP online-boutique-v2
Cont
C CCI I P
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-svc-vm cart-svc-vm
C CCI I P C CCI I P
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 170
Contract Scope = Tenant, Contract re-use = yes
tn-demo
vrf-01
AP online-boutique-v1
Cont
C CCI I P
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-svc-vm cart-svc-vm
C CCI I P C CCI I P
Unexpected cross
communication
vrf-01
AP online-boutique-v2
Cont
C CCI I P
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-svc-vm cart-svc-vm
C CCI I P C CCI I P
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
Contract Scope = Global, Contract re-use = yes
tn-demo
vrf-01
AP online-boutique-v1
Cont
C CCI I P
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-svc-vm cart-svc-vm
C CCI I P C CCI I P
tn-test
Unexpected cross
communication
test.vrf-01
AP online-boutique-v2
Cont
C CCI I P
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-svc-vm cart-svc-vm
C CCI I P C CCI I P
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 172
Option 1: Apply in both directions, reverse ports
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
Option 1: Apply in both directions, reverse ports (default)
tn-demo
vrf-01
Cont
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-vm cart-svc-vm
C CCI I P C CCI I P
LISTEN 7070
Subj
tcp
Filt
tcp-src-any-dst-7070
Entry
tcp-src-any-dst-7070
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
Option 1: Apply in both directions, reverse ports (default)
tn-demo
vrf-01
Cont
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-vm cart-svc-vm
C CCI I P C CCI I P
LISTEN 7070
Subj
tcp
Filt
tcp-src-any-dst-7070
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 175
Option 1: Apply in both directions, reverse ports (default)
tn-demo
vrf-01
Cont
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-vm cart-svc-vm
C CCI I P C CCI I P
LISTEN 7070
Subj
tcp
Entry
tcp-src-any-dst-7070
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 176
Option 2: Apply in both directions, reverse ports,
stateful
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 177
Option 2: Apply in both directions, reverse ports, stateful/ack check
tn-demo
vrf-01
Cont
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-vm cart-svc-vm
C CCI I P C CCI I P
LISTEN 7070
Subj
tcp
Entry tcp-src-any-dst-7070
(Stateful: Yes)
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 178
Option 2: Apply in both directions, reverse ports, stateful/ack check
tn-demo
vrf-01
Cont
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-vm cart-svc-vm
C CCI I P C CCI I P
LISTEN 7070
Subj
tcp
Filt
tcp-src-any-dst-7070
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 179
Option 2: Apply in both directions, reverse ports, stateful/ack check
tn-demo
vrf-01
Cont
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-vm cart-svc-vm
C CCI I P C CCI I P
LISTEN 7070
Subj
tcp
Entry tcp-src-any-dst-7070
(stateful)
stateful
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 180
Option 3: Apply in single direction
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 181
Option 3: Apply in single direction – requires you to specify the return ports in the
same or different contract
tn-demo
vrf-01
Cont
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-vm cart-svc-vm
C CCI I P C CCI I P
LISTEN 7070
Subj
tcp
Filt
tcp-src-any-dst-7070
Filt
tcp-src-7070-dst-any Separate filter definitions
required for return flows
Entry
tcp-src-any-dst-7070
Entry
tcp-src-7070-dst-any
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 182
Option 3: Apply in single direction – requires you to specify the return ports in the
same or different contract
tn-demo
vrf-01
Cont
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-vm cart-svc-vm
C CCI I P Consumer to Provider C CCI I P
LISTEN 7070
Subj Source and Destination Ports
tcp
Filt
tcp-src-7070-dst-any
Entry
tcp-src-any-dst-7070
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 183
Option 3: Apply in single direction – requires you to specify the return ports in the
same or different contract
tn-demo
vrf-01
Cont
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-vm cart-svc-vm
C CCI I P C CCI I P
LISTEN 7070
Subj
tcp
Filt
tcp-src-7070-dst-any
Entry
tcp-src-any-dst-7070
Entry
tcp-src-7070-dst-any
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 184
Option 4: Apply in both directions, reverse ports,
“flipped” – (this might hurt a little bit)
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 185
Option 4: Consumer and Provider Flipped
tn-demo
vrf-01
source port = consumer port
destination port = provider port
Cont
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-vm cart-svc-vm
C CCI I P C CCI I P
LISTEN 7070
Subj
tcp
Filt
tcp-src-7070-dst-any
Entry
tcp-src-7070-dst-any
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 186
Option 4: Consumer and Provider Flipped
tn-demo
vrf-01
source port = consumer port
destination port = provider port
Cont
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-vm cart-svc-vm
C CCI I P C CCI I P
LISTEN 7070
Subj
tcp
Filt
tcp-src-7070-dst-any
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 187
Option 4: Consumer and Provider Flipped
tn-demo
vrf-01
source port = consumer port
destination port = provider port
Cont
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-vm cart-svc-vm
C CCI I P C CCI I P
LISTEN 7070
Subj
tcp
Entry
tcp-src-7070-dst-any
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 188
Option 5: Apply in both directions
(not recommended)
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 189
Option 5: Apply in both directions (no reverse ports) – requires you to specify the
return ports
tn-demo
vrf-01
Cont
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-vm cart-svc-vm
C CCI I P C CCI I P
LISTEN 7070
Subj
tcp
Filt
tcp-src-any-dst-7070
Filt
tcp-src-7070-dst-any Separate filter definitions
required for return flows
Entry
tcp-src-any-dst-7070
Entry
tcp-src-7070-dst-any
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 190
Option 5: Apply in both directions (no reverse ports) – requires you to specify the
return ports
tn-demo
vrf-01
Cont
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-vm cart-svc-vm
C CCI I P C CCI I P
LISTEN 7070
Subj
tcp
Filt
tcp-src-any-dst-7070
Filt
tcp-src-7070-dst-any Separate filter definitions
required for return flows
Entry
tcp-src-any-dst-7070
Entry
tcp-src-7070-dst-any
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 191
Option 5: Apply in both directions (no reverse ports) – requires you to specify the
return ports
tn-demo
vrf-01
Cont
ESG permit-to-cart-svc ESG
frontend-svc cart-svc
frontend-vm cart-svc-vm
C CCI I P C CCI I P
LISTEN 7070
Subj
tcp
Filt
tcp-src-any-dst-7070
Filt
tcp-src-7070-dst-any
Entry
tcp-src-any-dst-7070
Entry
tcp-src-7070-dst-any
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 192
Verifying contracts…
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 193
Verifying Contract Operation
tn-demo
vrf-01
Cont
ESG permit-to-ubuntu-02 ESG
ubuntu-01 ubuntu-02
ubuntu-01 ubunut-02
C CCI I P C CCI I P
192.168.150.21 192.168.151.21
aci-dev-01-apic-01# show esg ubuntu-01 detail aci-dev-01-apic-01# show esg ubuntu-02 detail
Endpoint Security Group Data: Endpoint Security Group Data:
Tenant : demo Tenant : demo
Application : endpoint-matched-security-groups Application : endpoint-matched-security-groups
ESg : ubuntu-01 ESg : ubuntu-02
VRF : vrf-01 VRF : vrf-01
Intra ESG Isolation : unenforced Intra ESG Isolation : unenforced
Policy Tag : 38 Policy Tag : 5474
Consumed Contracts : permit-to-ubuntu-02 Consumed Contracts :
Provided Contracts : Provided Contracts : permit-to-ubuntu-02
Consumed Contracts Interface : Consumed Contracts Interface :
Qos Class : unspecified Qos Class : unspecified
Tag List : Tag List :
IP Selectors: IP Selectors:
Name Match Expression Name Match Expression
-------------------- ----------------------------------------- -------------------- -----------------------------------------
ip=='192.168.150.21’ ip=='192.168.151.21’
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 194
Verifying Contract Operation
tn-demo
vrf-01
Cont
ESG permit-to-ubuntu-02 ESG
ubuntu-01 ubuntu-02
ubuntu-01 ubunut-02
C CCI I P C CCI I P
192.168.150.21 192.168.151.21
Subject: icmp
Subject: tcp
aci-dev-01-apic-01# show access-list tcp-src-any-dst-7070
Tenant : demo
Access-List : tcp-src-any-dst-7070
match tcp dest 7070
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 195
Verifying Contract Operation
tn-demo
vrf-01
Cont
ESG permit-to-ubuntu-02 ESG
ubuntu-01 ubuntu-02
ubuntu-01 ubunut-02
C CCI I P C CCI I P
192.168.150.21 192.168.151.21
SrcEPG: 38
----------------------------------------------------------------
Node 102 (aci-dev-01-leaf-102) DstEPG: 5474
----------------------------------------------------------------
FilterID: 12
+---------+--------+--------+----------+-----+--------+-------+------+--------+----------+
| Rule ID | SrcEPG | DstEPG | FilterID | Dir | operSt | Scope | Name | Action | Priority |
+---------+--------+--------+----------+-----+--------+-------+------+--------+----------+
+---------+--------+--------+----------+-----+--------+-------+------+--------+----------+
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 196
Verifying Contract Operation
tn-demo
vrf-01
Cont
ESG permit-to-ubuntu-02 ESG
ubuntu-01 ubuntu-02
ubuntu-01 ubunut-02
C CCI I P C CCI I P
192.168.150.21 192.168.151.21
----------------------------------------------------------------
Node 102 (aci-dev-01-leaf-102)
----------------------------------------------------------------
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| FilterId | Name | EtherT | ArpOpc | Prot | ApplyToFrag | Stateful | SFromPort | SToPort | DFromPort | DToPort | Prio | Icmpv4T | Icmpv6T | TcpRules |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
| 12 | 12_0 | ip | unspecified | tcp | no | no | unspecified | unspecified | 7070 | 7070 | dport | unspecified | unspecified | |
+----------+------+--------+-------------+------+-------------+----------+-------------+-------------+-----------+---------+-------+-------------+-------------+----------+
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 197
Blueprints
Example Internal Private Cloud Design – shared subnet(s)
External Device External Device
Route leak
128.0.0.0/1
“common”
tn-demo
Endpoints security policy
Contracts exported to moved to application ESGs
“shared-services” based on tag policy
AP application-1
Cont Cont
C CCI I P
permit-to-core-services permit-from-core-services Cont ESG all-services
(exported from shared-services) (exported from shared-services) permit-to-tn-demo-application-1
(exported to shared-services)
vzAny cannot be a
provider for shared Application endpoints deployed to an EPG
services “landing zone” in “enforced” mode to
prevent E/W traffic inside both the
hypervisor and the network
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 199
Application tiers across subnets
Application Centric Blueprint #1 – ESG “wrapper” for all services
tn-demo
vrf-01
Consumers
Single security zone for
all application services
AP online-boutique
C CCI I P
ESG all-services
frontend
checkout
payment
Redis cache
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 200
Application tiers across subnets
Application Centric Blueprint #2 – Intra ESG Isolation
tn-demo
vrf-01
Consumers
Firewall/IPS
Single isolated security zone
for all application services
AP online-boutique
C CCI I P
ESG all-services
payment
Redis cache
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 201
Application tiers across subnets
Application Centric Blueprint #3 – Dedicated AP/ESG for backend database
tn-demo
vrf-01
Consumers
AP online-boutique
C CCI I P
ESG all-services
frontend
checkout
payment
C CCI I P
AP databases
C CCI I P
ESG redis
Dedicated Application Profile
Redis cache
and ESG (with contract) for
database services
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 202
Application tiers across subnets
Application Centric Blueprint #4 – Inbound firewall/IPS + backend contract
tn-demo
vrf-01
Consumers
Inbound firewall/IPS
AP online-boutique
C CCI I P
ESG all-services
Inbound Firewall between
Consumers and Application
frontend
checkout
payment
C CCI I P
AP databases
C CCI I P
ESG redis
Dedicated Application Profile
Redis cache
and ESG (with contract) for
database services
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 203
Application tiers across subnets
Application Centric Blueprint #5 – Inbound firewall/IPS + backend firewall/IPS
tn-demo
vrf-01
Consumers
Inbound firewall
AP online-boutique
C CCI I P
ESG all-services
Inbound Firewall between
Consumers and Application
frontend
checkout
payment
C CCI I P
AP databases
C CCI I P
ESG redis
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 204
Application tiers across subnets Requires application
Application Centric Blueprint #6 – ESG per application tier dependency map
tn-demo
vrf-01
Consumers
Single security zone for
each application service
AP online-boutique
C CCI I P C CCI I P
ESG ESG
frontend checkout
C CCI I P C CCI I P
C CCI I P
ESG
redis
C CCI I P
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 205
Application tiers across subnets
Application Centric Blueprint #7 – Dedicated AP/ESG for backend database
tn-demo
vrf-01
Consumers
Single security zone for
each application service
AP online-boutique
C CCI I P C CCI I P
ESG ESG
frontend checkout
C CCI I P C CCI I P
AP databases
C CCI I P
ESG
Dedicated Application Profile
redis
and ESG (with contract) for
C CCI I P database services
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 206
Application tiers across subnets
Application Centric Blueprint #8 – ESG per application tier + frontend firewall/IPS
tn-demo
vrf-01
Consumers
Frontend firewall/IPS
Single security zone for
each application service Inbound Firewall between
Consumers and application
“frontend”
AP online-boutique
C CCI I P C CCI I P
ESG ESG
frontend checkout
C CCI I P C CCI I P
AP databases
C CCI I P
ESG
Dedicated Application Profile
redis
and ESG (with contract) for
C CCI I P database services
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 207
Application tiers across subnets
Application Centric Blueprint #9 – ESG per application tier + frontend firewall/IPS + backend firewall/IPS
tn-demo
vrf-01
Consumers
Inbound firewall
Single security zone for
each application service Inbound Firewall between
Consumers and application
“frontend”
AP online-boutique
C CCI I P C CCI I P
ESG ESG
frontend checkout
C CCI I P C CCI I P
AP databases
C CCI I P
ESG
Backend Firewall between
redis
Application and Database
C CCI I P Database firewall
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 208
Application tiers across subnets
Application Centric Blueprint #10 – ESG per application tier + frontend, backend, and payment firewall/IPS
tn-demo
vrf-01
Consumers
Inbound firewall
Single security zone for
each application service Inbound Firewall between
Consumers and application
“frontend”
AP online-boutique
C CCI I P C CCI I P
ESG ESG
frontend checkout
AP databases
C CCI I P
ESG
Backend Firewall between
redis
Application and Database
C CCI I P Database firewall
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 209
Wrapping up…
Select one or more Design Patterns…
Carefully consider the use of:
• The “common” tenant
• Using a “shared services” tenant
• vzAny
• Dedicated border Leafs (recommended)
• External EPG with the classifier 0.0.0.0/0
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 211
Implement ESG “wrappers”…
Wrapping applications into ESGs provides the following benefits for
both virtual and physical workloads:
• Improved application visibility
• Improved auditing capabilities
• Improved troubleshooting
• Intelligent service insertion
• Security tied applications rather than network segments
• Reduce the reliance on monolithic physical security devices
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 212
Benefits of Shared Service model…
• Looks and feels like a Public Cloud model of working
• Network team maintains control of North / South route peering
• Network team maintains control of Inter VRF route leaking
• Each Tenant can control their own CIDR range
• Each Tenant can control their own security rules
• Each Tenant can have private (non routable subnets)
• Security services can be easily inserted in the Tenants
• Do not use 0.0.0.0/0 as the extEPG classifier
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 213
Automation Considerations…
• A simple consumption model is everything
• Single API for all networking functions
• Application security requirements should be declared to the infrastructure
• Add virtual application firewalls to deployments if required
• Large physical monolithic firewalls are useful at network boundaries, however they should
only provide broad security rules
• Remove unnecessary overlay networks that add layers of complexity
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 214
Now available on dCloud
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 215
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 216
Complete your Session Survey
• Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (open from Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events Mobile App or
by logging in to the Session Catalog and clicking the
"Attendee Dashboard” at
https://www.ciscolive.com/emea/learn/sessions/session-
catalog.html
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 217
Continue Your Education
Attend any of the related sessions at the DevNet, Capture the Flag,
and Walk-in Labs zones.
BRKDCN-2984 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 218
Thank you