security best practices for acid2zmdbbm9feqrf.cloudfront.net/2016/usa/pdf/brkaci-2… · ·...
TRANSCRIPT
Security Best Practices for ACI
Navaid Shamsee
BRKACI-2303
• Introduction
• Security Architecture
• ACI Overview
• ACI Fabric Security
• Role Based Access Control
• Segmentation for Security
Agenda
• Visibility
• Implementing Advanced Security
• Design Practices
• Conclusion
Introduction
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cyber attacks are increasing in number and complexity
BRKACI-2303 5
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sophisticated
Attackers
Complex
Geopolitics
Boardroom
Engagement
The Challenges Come from Every Direction
Misaligned
Policies
Dynamic
Threats
Defenders
Complicit
Users
BRKACI-2303 6
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Visibility and Context
Use a Threat-Centric and Operational Security Model
Attack Continuum
Firewall
App Control
VPN
Patch Mgmt
Vuln Mgmt
IAM/NAC
IPS
Anti-Virus
Email/Web
IDS
FPC
Forensics
AMD
Log Mgmt
SIEM
BEFORE
Detect
Block
Defend
DURING AFTER
Discover
Enforce
Harden
Scope
Contain
Remediate
BRKACI-2303 7
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco: Covering the Entire Continuum
Attack Continuum
FireSIGHT & PXGrid
ASA
NGFW
Secure Access + Identity Services
VPN
Meraki
NGIPS
ESA/WSA
CWS
Advanced Malware Protection
Cognitive
BEFORE
Detect
Block
Defend
DURING AFTER
DIscover
Enforce
Harden
Scope
Contain
Remediate
ThreatGRID
Services
BRKACI-2303 8
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Wo
rkflo
w (
au
tom
ation
) E
ng
ine
How to Defend…
AP
Is
Understand scope, contain & remediate
Broad awareness for context
Set policy to reduce surface area of attack
Focus on the threat – security is about detecting,
understanding, and stopping threats
Breach
Visibility
Control
Threat
BRKACI-2303 9
Security Architecture
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
TRENDS IMPACTING DATACENTER SECURITY
EVOLVING
THREATS
NEW APPLICATIONS (PHYSICAL, VIRTUAL
AND CLOUD)
NEW TRAFFIC
TRENDS
Source: Cisco Global Cloud Index, 2012
BRKACI-2303 11
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Right SECURITY architecturefor NEXTGEN data center?
VIRTUALIZATION
CENTRICNo Physical
Support
Limited
Visibility
Management
Complexity
APPLICATION CENTRIC Any workload and any place Full VisibilityAutomated
PERIMETER CENTRIC Manual and
ComplexError-ProneStatic
Topology
Limited
Places
BRKACI-2303 12
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco SAFE recommends a phased methodology of building Security Solution
1. Requirement Phase / Security Capabilities
• Identify security capabilities base on business goals, risks, policies, and threats.
2. Architecture phase
• Create logical architecture based on the required capabilities in previous phase
3. Design phase
• Create a design using the architecture
• Identify products, configuration, services and cost.
BRKACI-2303 13
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Requirements Phase
COMPLIANCE
How do I maintain compliance
in the cloud and mobile era?
RISK MITIGATION
How do I pro-actively detect
and mitigate new attacks?
AUTOMATION
How can I simplify
management across my IT?
BRKACI-2303 14
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 15BRKACI-2303
Architecture Phase
L2//L3 Network
Access Control +TrustSec
To Campus
Shared Services
Zone
Next-Gen Intrusion Prevention System
App Server
Zone
PCICompliance
Zone
DatabaseZone
Flow Analytics
Host-based Security
Load Balancer
Flow Analytics
Firewall
Anti-Malware
Threat Intell-igence
Access Control +TrustSec
Next-Gen Intrusion Prevention System
Next-Generation Firewall Router
L2//L3 NetworkFirewall VPN
Switch
Web Application Firewall
Centralized Management
Policy/Configuration
Visibility/Context
AnalysisCorrelation
Analytics
Logging/Reporting
ThreatIntelligence
VulnerabilityManagement
Monitoring
To Edge
Virtualized Capabilities
WAN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 16BRKACI-2303
Design Phase
Tenant
APP1
uEPG
DB1
uEPGC C
Bridge
Domain-2
Zone-2 VRF
WEB2
EPG
APP2
EPG
DB2
EPG
DB3
EPG
Zone-1 VRF Zone-3 VRF
Bridge
Domain-3
Bridge
Domain-4
Bridge
Domain-5
Bridge
Domain-1
C C
ANP-1 ANP-2 ANP-3ASAv ASAv
Firepower
9300
VRF-1 VRF-2 VRF-3
WEB1
uEPG
10.1.1.1/24
10.254.1.1/29
10.1.2.1/24 10.1.3.1/24 10.1.4.1/24 10.1.5.1/24
10.254.2.1/2910.254.3.1/29
10.254.4.1/29
L3Out L3Out L3Out
C C C
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
For more information on security architecture
BRKACI-2303 17
Cisco SAFE Blueprint
http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_safe.html
Cisco Security Control Framework
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/CiscoSCF.html
ACI Overview
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is ACI?
BRKACI-2303 19
Cisco’s Software Defined Networking (SDN) Solution to enhance business agility, reduce TCO, accelerate data center application deployments by automating IT tasks.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is ACI?
APICAPIC
APIC
Nexus 9000
APIC
+Switches
Controllers
Configuration
+
Policy Model
BRKACI-2303 20
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
The ACI Fabric - Topology
Spine
Switches
Leaf
Switches
APICAPIC APIC
BRKACI-2303 21
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
The ACI Fabric – IS-IS
Routed links
(IP unnumbered)
IS-IS Level 1
L3 Fabric
Server-1 Server-2 Server-n
Default Gateway
Default Gateway
Default Gateway
BRKACI-2303 22
VXLAN
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Inside
The ACI Fabric - Inside & Outside
Border
Leaves
Route Reflectors
OSPF, BGP,
EIGRP & static
OutsideForwarding policy for ‘inside’ EPG’s defined by associated bridge domain network policies
‘Outside’ EPG associated with external network policies (OSPF, BGP, … peering)
MP-BGP is
used to
distribute
external
routes within
the fabric.
BRKACI-2303 23
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
REST API
GUI CLIAPI
Python SDK
The APIC – Northbound Interface
BRKACI-2303 24
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
The APIC – Southbound Interface
ACI-enabled Fabric devices L4-7 Scripting APIs
OpFlex Device Package
BRKACI-2303 25
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Policy Model
Logical Model
• Contains policy defined by administrator
Resolution Model
• Intermediary format between APIC and network node
Concrete Model
• Device specific implementation of logical model
BRKACI-2303 26
OpFlexOpFlex
Agent
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tenant-A
Private Network-1
Bridge
Domain-1
ACI Terminologies
Subnet-1
Customer / Group / BU
Routing Table VRF
L2 Boundary
IP Space(s)
Groups of end points
Tenant-B
Private Network-2
Bridge
Domain-2
Bridge
Domain-3
Bridge
Domain-4
Subnet-2 Subnet-3Subnet-4
Subnet-5
EPG-A
EPG-B
EPG-C
EPG-D
EPG-E
EPG-F
Private Network-3
Bridge Domain-5
Subnet-6
Subnet-7
EPG-A
EPG-B
EPG-C
BRKACI-2303 27
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Management Information Model
Solid lines indicate objects below contained
Dashed lines indicate a relationship
1:n indicates one to many
n:n indicates many to many
TENANT
L2/L3
Outside
Networks
Application
Network
Profiles
Contexts
(VRF)Contracts Filters
Subnets Subjects
Bridge
Domains
n
n
n
n n n n n
n n
n
n n
1 1 1 1
1
EPGs
n 1
BRKACI-2303 28
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
For more information on ACI
BRKACI-2303 29
ACI
http://www.cisco.com/c/en/us/solutions/data-center-virtualization/application-centric-
infrastructure/index.html
Related sessions:
BRKACI-2008 - A Technical Introduction into ACI
BRKACI-2004 - How to setup an ACI fabric from scratchBRKACI-2102 - ACI Troubleshooting
ACI Fabric Security
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Fabric Security
• Whitelist Security Model
• APIC Hardening
• APIC Northbound Protocols
• APIC Northbound Authentication
• Two Factor Authentication
BRKACI-2303 31
• APIC to Switch Authentication and Encryption
• NXOS Image Signing and Verification
• COOP Authentication
• Audit Logs for all Changes
• Security Certifications
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32BRKACI-2303
Whitelist Security Model
Outside
Web App DB
Allow TCP 443 Allow TCP 1434Allow TCP 80
ACI Fabric
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Hardened OS CentOS 6.5 (Future CentOS 7.2)
• Only open TCP ports are 22, 80, 443
• Port 80 is redirected to 443
• API Throttling (transactions/sec)
APIC Hardening
BRKACI-2303 33
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• HTTP/HTTPS for GUI or REST API
Webtoken login (username & password)
X.509 certificate login (username & X.509 certificate)
• CLI over SSH
Standard SSH login (username & password)
Password-free login (username & public key)
APIC Northbound Protocols
BRKACI-2303 34
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• APIC Local authentication
• External RADIUS
• External TACACS+
• External LDAP and Active Directory
APIC Northbound Authentication
RADIUS
TACACS+
LDAP/AD
Local Authentication
BRKACI-2303 35
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Two Factor Authentication
BRKACI-2303 36
• ACI and Symantec Integrated 2-factor Authentication
http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-734458.pdf
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
APIC to Switch Authentication and Encryption
TLS
1.2 Infr
a
Mg
mt
Te
na
nt
APIC-to-APIC, and APIC-to-Switch
Authentication
1. Establish SSL connection and exchange
public key certificates
2. For additional security, shared secret or
device serial number can be optionally
exchanged
3. After successful validation, connection is
ready
4. Messages are authenticated with HMAC
digest
BRKACI-2303 37
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Generate Hash (SHA512)
Create Signature (RSA-2048 bit)
Using ACI RSA 2048 Private KeySwitchImage
Signed Hash
Image Download
FIPS-140-2 compliant build system
Development Key
Release Key
Revocation Key
Extract signature from image
Signed Image Verification on Switch Sup & LCs
Compare Hash with Image SHA512 Hash
Try all development and release keys in ACT2 keystore
NXOS Image Signing and Verification
ACT2 HSM
Leaf/Spine Switch SwitchImage
Signed Hash
TPM Chip
Secure Key Store
BRKACI-2303 38
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
COOP Authentication
BRKACI-2303 39
apic1# configure
apic1(config)# coop-fabric
apic1(config-coop-fabric)# authentication type ?
compatible Compatible type
strict Strict type
apic101-apic1(config-coop-fabric)# authentication type strict
Release 2.0(x)
Council of Oracle Protocol (COOP) is used to
communicate the mapping information (location and
identity) to the spine proxy.
Two ZMQ authentication modes:
Strict mode: MD5 authenticated ZMQ
connections only.
Compatible mode: MD5 authenticated and non-
authenticated ZMQ connections
Oracle Oracle Oracle Oracle
Citizen Citizen Citizen Citizen Citizen Citizen
Council of Oracle
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Audit Logs for all Changes
Audit-logs are native to the ACI object model. Audit-logs contain:
• The object that was affected by a change
• What changed, Time stamp, user who made the change, the trigger, etc.
BRKACI-2303 40
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Port Security
• Limits the number of mac-addresses learnt on a bridge-domain port of ACI leaf switch.
• Supported on newer leaf switches (-E)
• MAC addresses on port are exceeding Maximum Endpoints setting:
• Learning is disabled
• New mac-address not added to CAM
• Traffic is dropped for new MAC
• Generate 1 syslog entry for violation action
BRKACI-2303
Release 2.0(1m)
41
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Certifications
Certification NXOS N9K
Standalone
ACI
N/A Done
Done Q4 CY16
Target Complete Feb 16 Q3 CY 16
Done Q4 CY16
Done Planning
BRKACI-2303 42
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
For more information on ACI fabric security:
BRKACI-2303 43
Cisco Application Centric Infrastructure Security: Chain of Trust White Paper
http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-
infrastructure/white-paper-c11-736292.html
Role Based Access Control
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Role Based Access Control
45BRKACI-2303
• Controlling user access according to their specified roles
• Control READ and WRITE for ALL Managed Objects
• Users with different roles get selective Access to MIT Managed Objects
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configuring Role Based Access Control
46BRKACI-2303
Roles
Security
Domains
User
AD/LDAP
RADIUS
TACACS+
Local
Privileges
Fabric
Common
Tenant A
Tenant B
readPriv
writePriv
What user can do
Which subtree the role applies
fabric-equipment
tenant-epg
vmm-connectivity
nw-svc-device
admin
fabric-admin
tenant-admin
vmm-admin
Managed Information
Tree (MIT)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
universe
Fabric Instance
Switch1
SwitchN
LC1
Port1 PortN-1 PortN
Fabric Infra DomainTenant Domains
Tenant BTenant A
Shared Policies Domain
QoS Policy
Access Policy
ANP
EPG-2EPG-1
Tenant Common
End-Points
BRKACI-2303 47
End-Points
ANP
EPG-2
End-Points
Admin Domain: all Roles: Admin-Write
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
universe
Fabric Instance
Switch1
SwitchN
LC1
Port1 PortN-1 PortN
Fabric Infra DomainTenant Domains
Tenant BTenant A
Shared Policies Domain
QoS Policy
Access Policy
ANP
EPG-2EPG-1
Tenant Common
End-Points
BRKACI-2303 48
End-Points
ANP
EPG-2
End-Points
Domain: TenantA, Roles: Admin-WriteDomain: Common, Roles: read-only
TenantA-admin
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Normal RBAC functionality grants access to all instances of classes of objects under the tenant subtree.
• RBAC rules allow granular control on top of existing RBAC framework
• Example: Tenant A has two firewalls with following RBAC requirements:
RBAC Rules
BRKACI-2303 49
Tenant A
ANP-1
EPG-2EPG-1
End-Points
End-Points
ANP-2
EPG-4EPG-3
End-Points
End-Points
fw1-admin: Write access on FW1• Domain TenantA: read-all privileges
• Domain sd-fw1: fw1-admin WRITE privileges
fw2-admin: Write access on FW2• Domain TenantB: read-all privileges
• Domain sd-fw2: fw2-admin WRITE privileges
FW1 FW2
Release 1.2(1m)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• RBAC Rules are additive and associative.
• Cannot be negative/blocking rules.
• Require knowledge of the DNs of resources.
• RBAC Rule DNs and Domains are validated only for format, not for existence.
• You can pre-create RBAC Rules prior to the creation of the DN object they refer to.
RBAC Rules
BRKACI-2303 50
Segmentation for Security
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Segmentation for Security
52BRKACI-2303
• Segmentation using EPGs
• Micro-Segmentation
• Intra-EPG Isolation
• Distributed Firewall (DFW)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Segmentation using EPGs
No communication between EPGs unless allowed by a contract
Contract defines how an EPG communicates with other EPGs
“Provided” by one EPG and “consumed” by another.
Subjects are used to build definition of communication between EPGs.
Subject is a combination of a filter, an action, and optional label
Labels allows greater flexibility in complex relationship definitions
Web ServerClient
ProviderConsumer
TCP Port 80 ,8080Contract
Subject
Subject
Filter
Action
Label
Port 80, 443
Permit
WebAccess
…
BRKACI-2303 53
EPG-1 EPG-2
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
APPLICATION NETWORK PROFILE
Application Network Profile (ANP)
APP ServersWEB Farm
C C
DB FarmUsersUsers
C
One-way Contract
Users consume WEB services
One-way Contract
DB provides services to APP
Two-way Contract
WEB & APP provide & consume services between each other
• Group of EPGs and the Contracts (policies)
• Defines which EPGs can communicate and how they communicate
BRKACI-2303 54
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
EPG WEB EPG APP EPG DB
NW Public
NW Private
subnet
subnet
pro
vid
e
pro
vid
e
pro
vid
e
provide provide provide
infra shared services
consume consume consume
L3 contextbd bd bd
web c
ontra
ct
java c
ontra
ct
sql c
ontra
ct
mgmt contract
Outsideconsume consume
consume
Application Network Profile - Example
BRKACI-2303 55
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
vDS Cisco AVS IP/MAC EPG Hyper-V vSwitch Open vSwitch Open vSwitch
VLAN VLAN VLAN or
VXLANVLANVLANVLAN
Micro-Segmentation with ACI
EPG-Web
Micro-Segmentation Across any Workload
Attribute Type
MAC Address Filter Network
IP Address Filter Network
VNic Dn (vNIC domain name) VM
VM Identifier VM
VM Name VM
Hypervisor Identifier VM
VMM Domain VM
Datacenter VM
Custom Attribute
(VMWare AVS/vDS only)
VM
Operating System VM
BRKACI-2303 56
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Micro-Segmentation?Example
VM Attributes
EPG – Server
vCenter
Base EPG
Coke1(x.x.x.21)
vSwitch + Opflex
Windows Server
EPG – Server
Base EPG
EPG – Server
Base EPG
AVS with Opflex
Windows Server VMware ESX server
vSwitch + Opflex
Pepsi1(x.x.x.11)
Coke2(x.x.x.22)
Pepsi2(x.x.x.12)
Coke3(x.x.x.23)
Pepsi3(x.x.x.13)
VM Attributes
CokeEPG = VM_name(Coke*)
Coke1(x.x.x.21)
Coke2(x.x.x.22)
Coke3(x.x.x.23)
CokeEPG CokeEPG CokeEPG
1. ALL VMs can talk to each other in Base EPG
2. Admin creates CokeEPG policy for micro-segmentation
3. CokeEPG policy distributed via Opflex to HyperV/ESX
4. VM’s VLAN gets changed to new CokeEPG VLAN
HV1 HV2
FS
5. VMs in CokeEPG can’t talk to VMs in Base EPG anymore
APIC
BRKACI-2303 57
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why is Intra-EPG Isolation Needed?
Problem
Solution
Intra-EPG Isolation Denies All
Communication within an EPG
BRKACI-2303 58
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKACI-2303 59
Micro-Segmentation and Intra-EPG Isolation
PROD
PODDMZ
SHARED
SERVICES
Basic DC Segmentation
Flexible
Segmentation
DEV
TEST
PROD
Application Lifecycle
Segmentation
WEB
APP
DB
Service Level
Segmentation
Network-Centric
Segmentation
VLAN 1 VXLAN 2
VLAN 3
Hypervisor Agnostic Micro-segmentation
For Any Virtual Workload
Quarantine Infected VMs With Guest OS = Linux
Hypervisor
Virtual Switch (any)
Attributes Based Micro-Segments
(DVS, AVS, Hyper-V Switch, OVS)
FW
OS = Linux Name = Video-*IP = 1.1.1.x
FW
Intra-EPG Isolation + Micro-segmentation
For Any Workload (Physical, Virtual)
Intra-EPG Isolation
Local switching
Micro-Segmentation
Web EPG DB EPG
DB EPG
Intra=EPG Isolation + Micro-Segmentation
DB EPG
Local switching
Intra-EPG Isolation
FW
EPG Isolation + Micro-Segmentation
Web EPG
Intra-EPG Isolation
Quarantine Infected VMs
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Distributed Firewall (DFW) on AVS• Connection tracking support (TCP) on AVS
• DFW is only applicable to Virtual End Points.
• DFW is not applicable to system ports (vmkernel ports) and uplinks.
• Global (per AVS host) flow limit: 250,000
• Per Interface (End Point) flow limit: 10,000
• Aging Interval: Adaptive aging (5 minutes – 2 hours)
• States for a flow:-•STATE_SYN_RECV
•STATE_SYN_ACK_RECV
•STATE_ESTABLISHED
•STATE_FIN_RECV
•STATE_ESTABLISHED_ONE_DIR
•STATE_2ND_FIN_RECV
•STATE_FTP_DATA
BRKACI-2303 60
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firewall Policies
• System creates Global defaultpolicies which can be changed by the user
• Global defaults can be overridden per VMM Domain:
• Configure vSwitch policies under Attachable Entity Profile
• Firewall Policy Modes:
• Disabled: Disables Firewall
• Enabled: Enables Connection Tracking and Packet Drops in AVS
• Learning: Enables Connection Tracking, but packets are not dropped on a miss
BRKACI-2303 61
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Stateful Contracts and Filters
• User can set Stateful bit while configuring filters for TCP traffic
• Reflexive ACL in the hardware is programmed to allow TCP packets only if ACK flag set.
BRKACI-2303 62
Visibility
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Visibility
64BRKACI-2303
• Endpoint Tracker
• Syslog
• SNMP version 2 & 3
• Cisco Tetration Analytics
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
End Point Tracker
• Endpoint tracker is located under Operations tab
• Find real time location of the endpoint: EPG, Node, Interface, Ecnap.
• Keeps history of endpoint movement with date and time stamp.
65BRKACI-2303
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Syslog
66BRKACI-2303
• MOs with associated faults or stats have
a scope
• Notifications for different scopes can be
sent to different destinations
• Faults, Event Records and Audit
Records can be dispatched using
syslog, as well as callhome & SNMP
traps
• Switches send syslog message directly
to the destinations, APIC is not involved
in forwarding switch syslog messages.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SNMP v2 & 3
67BRKACI-2303
• Following SNMP Features are
supported on APIC: SNMP Protocol v2c and v3
SNMP Traps (v1, v2c and v3)
• The SNMP agents run independently
on Switches and APIC.
• The APIC MIBs are read-only. The
SNMP Set operation is not supported
• Each APIC must be monitored
separately for SNMP MIBs.
• Each APIC provides MIB Objects
local to it.
• Each switch must be queried
independently to provide the
monitoring information.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application
Insight
Policy
Simulation
and Impact
Assessment
Automated
Whitelist
Policy
Generation
Forensics:
Every Packet,
Every Flow,
Every Speed
Policy
Compliance
and
Auditability
Cisco Tetration Analytics
BRKACI-2303 68
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Tetration Analytics Architecture
Analytics Engine
Cisco Tetration
Analytics™
Platform
Visualization and
Reporting
Web GUI
REST API
Push Events
Data Collection
Host Sensors
Network Sensors
Third-Party
Metadata Sources
Tetration
Telemetry
Configuration
Data
Cisco Nexus®
92160YC-X
Cisco Nexus
93180YC-EX
VM
BRKACI-2303 69
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Cisco Tetration Analytics ContinuumPersistent Visibility for Any Workload, 24 x 7
Zero Trust
Discover
Centralized policy orchestration and distributed sensors
Enforce
Secure multitenancy with whitelisting
Harden
Per-application microsegmentation
Detect
Deep traffic visibility
Block*
Threat-centric protection (roadmap)
Defend*
Real-time threat intel (roadmap: Talos)
Scope
Network forensic analysis
Audit
Network and security audit
Remediate
Remediation of policy issues
Visibility Compliance
BRKACI-2303 70
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
For more information on Cisco Tetration Analytics
BRKACI-2303 71
Visit Cisco Tetration Analytics Page:
http://www.cisco.com/c/en/us/products/data-center-analytics/tetration-analytics/index.html
Related sessions:
BRKDCN-2040: Tetration Analytics - Network Analytics & Machine Learning Enhancing Data Center
Security and Operations
BRKACI-2060: Cisco Tetration: Data Center Analytics Deployment and Use Cases
Implementing Advanced Security
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Advanced Security Controls
• Security Automation (Service Graph)
• Trustsec Integration
Advanced Security
BRKACI-2303 73
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 74BRKACI-2303
Cisco ACI and Cisco Advanced Security
Cisco ACI + Cisco Advanced Security Advantages:
• Addresses key DC challenges: threat-centric, visibility, compliance
• Only complete Before, During, and After approach to threats
• Industry’s most comprehensive threat intelligence with TALOS
• Highest rated Next Generation Intrusion Prevention System*
• Highest rated Breach Detection System – 99.2% effective**
*NSS NGIPS SVM Report, April 2015. **NSS Breach Detection SVM Report, August 2015..
Centralized Policy
Automation
Secure Multi-Tenancy with Whitelisting
Attribute-Based Microsegmentation
VM-Based Segmentation
Industry Compliance
Standards (PCI)
vm vm vm
ACI Group Policy
APIC integration
Threat-Centric
Protection
Deep traffic inspection
Real-time Threat
Intelligence
Forensic Analysis
APIC
Dynamic Workload
Quarantine
Cisco Advanced Security – ASA / Firepower / AMP
Native ACI Security
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 75BRKACI-2303
Cisco ASA FW and Management Features
Cisco ASA
Cisco ASA
9.5
1G/10G/40G ports, max 1024 VLAN tagged sub-interfaces
Failover active/standby and Clustering active/active high-availability models
Embedded Firepower Services (AVC, NGIPS, URL-filter, AMP)
SDN (Cisco APIC) and traditional (Cisco ASDM and Cisco Security Manager)
management tools
Dynamic routing includes Open Shortest Path First (OSPF), Enhanced Interior
Gateway Routing Protocol (EIGRP), and Border Gateway
Protocol (BGP)
IPv6 inspection support, Network Address Translation (NAT) 66, 46, and 64
REST API for programmed configuration and monitoring
Cisco TrustSec® Policy Enforcement Point (PEP) with security group tag
(SGT)-based access control lists (ACLs), plus inline-tagging capable
Zone-based firewall, Equal-Cost Multipath, Policy-based routing, VxLAN
support (VTEP)
Multiple Context for customer segmentation (max 250 contexts)
LAN-to-LAN and RA VPN (AnyConnect and Native RAVPN clients)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 76BRKACI-2303
Cisco FirePOWER NGIPS Features
Cisco FirePOWER
Cisco
FirePOWER
6.0
Configurable Fail Open Interfaces
Connection / Flow Logging, Network, User, and Application Discovery
Traffic filtering / ACLs and Fastpath
NSS Leading IPS Engine
Comprehensive Threat Prevention
Security Intelligence (C&C, Botnets, SPAM etc.)
Blocking of Files by Type, Protocol, and Direction
Basic DLP in IPS Rules (SSN, Credit Card etc.)
Access Control: Enforcement by Application and User AD integration
Switch, Routing, NAT Options, and ISE PxGRID integration
URL Filtering, Malware Blocking, Continuous File Analysis, Malware
Network Trajectory
Firepower Management Center (fka. FireSIGHT or Defense Center)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 77BRKACI-2303
Converging code for Threat-Centric NGFW
FirePOWER
• Threat-centric NGIPS
• AVC, URL Filtering for NGFW
• Advanced Malware Protection
2ASA
• L2-L4 Stateful Firewall
• Scalable CGNAT, ACL, routing
• Application inspection
1
Firepower Threat Defense (FTD)
• New converged NGFW/NGIPS image
• Full FirePOWER functionality for NGFW/NGIPS deployments
• ASA Datapath with TCP Normalizer, NAT, ACL, dynamic routing, failover functions
3
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 78BRKACI-2303
Firewall (FW) NGIPS NGFW
ASA FirePOWER
FTD Inline / Passive
Firepower Threat Defense
ASA + FirePOWER services
ASAv
FPv
FTDv
Data Center Gear
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 79BRKACI-2303
Simplifying NGFW Deployments
ASA + FirePOWER (SFR)
ASA FW Code
FirePOWER NGIPS
Service SFR Code
One Appliance – Two Images
Firepower Threat Defense
Threat-focused NGFW
One Appliance – One Image
Firewall URL Visibility Threats
ASA FW
FirePOWER NGIPS
Network Stitching or
ACI Service Graph Chain
Two Appliances
Two Management Consoles
1
2
2
1 3
Two Management Consoles One Management Console
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 80BRKACI-2303
Cisco ASAv
Cisco Virtual Firewall ASAv - multiple-hypervisor support with traditional network interaction.
Day 0 and Any Virtual Switch
vSwitch or dvSwitch
Cisco® AVS
Cisco Nexus® 1000V
(no vPath), Open vSwitch
Cisco® ACI Integration
KVM
Cisco ASAv qcow2 image
KVM 1.0 Virtio driver
KVM
VMware
vSphere client, ovftool, and
vCenter OVF Config Dialog
VMware ESXi 5.x, 6.x, Fusion
E1000
Hyper-V
Hyper-V Manager and
PowerShell deployments
Generation 1 guests
Microsoft
Windows
Vmware
Public Cloud
AWS marketplace
c3.large, c3.xlargeAmazonWeb Services
Azure Marketplace
Standard D3Microsoft
Azure
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 81BRKACI-2303
Cisco Virtual FirePOWER and Mgmt Console
Cisco Virtual FirePOWER NGIPS Sensor and Multi-device Firepower Management Console
VMware
vSphere client, ovftool, and
vCenter OVF Config Dialog
VMware tools on sensor/FMC
VMware ESXi 5.x, Fusion
E1000FPv
FMC
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 82BRKACI-2303
Cisco Virtual FTD with Mgmt Console
Cisco Virtual NGFW and Multi-device Firepower Management Console
VMware
vSphere client, ovftool, and
vCenter OVF Config Dialog
VMware ESXi 5.1, 5.5, Fusion
No VMware tools yet on FTDv
E1000
FMCv
AWS
c3.xlarge, BYOL
FTDv
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 83BRKACI-2303
Virtual vs. Physical Appliance Features
Cisco Virtual ASA and FirePOWER
Cisco ASAv
Removed clustering and
multiple-context mode
Cisco ASAv
10 vNIC interfaces, VTEP, and VLAN tagging
Virtualization displaces multiple context and clustering
Failover active/standby high-availability model
New SMART Licensing model (One license per model)
Parity with all other Cisco® ASA platform features
Cisco FirePOWERv
Virtual Sensor for the Hypervisor environment
Virtualization prevents fail-to-wire and fastpath
Inline L2 or tap traffic deployment
The same licensing model: Control, URL Filtering, and AMP
licensesRemoved Fail-Open,
Fastpath, Routing, and NAT
Cisco
FirePOWERv
6.0
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Service graph is an ordered set of functions between a set of terminals (consumer and provider) e-g; Firewall Function, Load balancer Function
• A function has one or more connectors
• Network connectivity like VLAN/VNID tag is assigned to these connectors
Functions rendered on the same device
• A function within a graph may require one or more parameters
• Parameters can be scoped by an EPG or an application profile or tenant context
• Parameter values can be locked from further changes
Service Graph: “web-application”
Func: SSL offload
Func: Load Balancing
Func: Firewall
Connectors
TerminalsTerminals
Firewall paramsPermit ip tcp * dest-ip <vip> dest-port 80Deny ip udp *
SSL paramsIpaddress <vip> port 80
Load-Balancing paramsvirtual-ip <vip> port 80 Lb-aglorithm: round-robin
EXT
EXT EXT EXT
EPG - EXT
WEB
WEB WEB WEB
EPG - WEB
Consumes Provides
84BRKACI-2303
Service Graph DefinitionAbstract graph concept mapping to Service Graph
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Purpose of the Service Graph
• By using the Service graph you can
• install a service, like the ASA firewall once and
• deploy it multiple times in different logical topologies
• Each time the graph is deployed ACI takes care of changing the configuration on the firewall to enable the forwarding in the new logical topology.
• ACI takes care of dynamically provisioning VLANs, IP addresses while re-using the same graph template
• The benefits of the service graph are:
• a configuration template that can be reused multiple times
• a more logical / application-related view of services
• provisioning a device that is shared across multiple departments
BRKACI-2303 85
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
“Users”“Files”
ACI Fabric
Configurations with Service Graph
• All configurations performed in a single operation:
• Fabric configuration: Bridge Domains, VLANs, Routing, EPGs
• Firewall configuration: VLANs, Interfaces
• ACLs
BRKACI-2303 86
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Service Configuration before the Service Graph
192.168.1.1 192.168.1.100
10.1.1.1
172.16.1.1
192.168.100.1
HTTP (TCP/80)
HTTPS (TCP/443)
DCERPC (TCP/135)
SSH (TCP/22)
ICMP
access-list OUT permit tcp host 192.168.1.1 host 10.1.1.1 eq 80
access-list OUT permit tcp host 192.179.1.1 host 10.1.1.1 eq 443
[…]
access-list OUT permit icmp host 192.168.1.100 host 192.168.100.1
30 ACL Rules
172.18.20.13
access-list OUT permit tcp host 172.18.20.13 host 10.1.1.1 eq 80
access-list OUT permit tcp host 172.18.20.13 host 10.1.1.1 eq 443
[…]
access-list OUT permit icmp host 172.18.20.13 host 192.168.100.1
15 ACL Rules
45 ACL Rules
Network Admin Security Admin
Add client
172.18.20.13, call
Security Admin to
enable access
Remove client 192.168.1.1,
“no other action necessary”
Add ASA rules for client
172.18.20.13
Original ASA rules never
change4
1
2
2
3
4
Files
Users
BRKACI-2303 87
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Automatic endpoint addition/removal with ACI
10.1.1.1
172.16.1.1
192.168.100.1
Servers
192.168.1.1
192.168.1.100
172.18.20.13
HTTP (TCP/80)
HTTPS (TCP/443)
DCERPC (TCP/135)
SSH (TCP/22)
ICMP
Source EPG
Leaf 1, port 1 Users
Leaf 1, port 10 Users
Destination EPG
Leaf 3, port 2 Servers
Leaf 4, port 8 Servers
Leaf 5, port 12 Servers
Leaf 2, port 12 Users
Network Admin
Add client 172.18.20.13, use
existing ASA instance
Remove client
192.168.1.1
Security AdminInsert ASA instance in the service
graph with desired policies
Same 5 service rules and
actions
ASA1
Clients
Port Rules
access-list OUT permit tcp any any eq 80
access-list OUT permit tcp any any eq 443
access-list OUT permit tcp any any eq 135
access-list OUT permit tcp any any eq 22
access-list OUT permit icmp any any
BRKACI-2303 88
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 89BRKACI-2303
For more information on Service Graph
Service Graph Design with Cisco Application Centric Infrastructure White Paper:
http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-
infrastructure/white-paper-c11-734298.html
Related sessions:
BRKACI-2121: Making the best of Services Automation with ACI Service Graph and Python
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 90BRKACI-2303
Dynamic Security with Trustsec on ASA in ACI
DB EPG
ISE
ACI Fabric
Corp EPG
Marketing
Engineering
Corp→DB : Allow, Redirect to ASA
All Other : Drop
APIC Policy Contract
Source Destination Action
Engineering Any Allow
Any Any Deny
[SGT 333]
1. Corporate users on
traditional Nexus 7000 in Corp
EPG get assigned SGT values
by ISE
SXP
2. ASA learns SGT
mappings OOB through
SXP
4. Fine filtering: ASA permits
only Engineering to access
database from corporate based
on SGT
3. Coarse filtering: ACI Policy Contract
allows all traffic from corporate network
to database, redirects to ASA
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE and ACI Policy Models
Src-SGT
(identity)
Dest-SGT
(identity)SGACL
ISE Policy Model
Src-EPG
(identity)
Dest-EPG
(identity)Contract
ACI Policy Model
ISE Controller
APIC Controller
Policy Mapping
BRKACI-2303 91
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI + Trustsec Policy Plane Architecture
ISE Policy Domain APIC Policy Domain
Co
ntr
oll
er
La
ye
r 1. Exchange SG/EPG Names
2. Exchange IP->SG/EPG Bindings
Server IP-> EPG bindingsUser IP->SGT Bindings
ISE
ACI Border Leaf
iVXLAN
SXP S
Enterprise CoreCMD/SGT
SXPv4
Netw
ork
La
ye
r
SGT not propagated in data plane
iVXLAN
Server
classificationUser
classification Propagation
DC
EnforcementPropagationCampus
Enforcement
BRKACI-2303 92
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Federation ISE to APIC Flow: TrustSec SGT Policy used to Program ACI EPG Policy
Enterprise
Backbone
ACI Policy Domain
ACI Border
Leaf (N9K)
ACI Spine (N9K)
Netw
ork
La
ye
rC
on
trolle
r La
ye
r
TrustSec Policy Domain
Netw
ork
La
ye
rC
on
tro
lle
r L
aye
r
ISE
BYOD
10.1.10.220SGT Federated to ACI Policies
ISE Retrieves:
EPG Name: App EPG,
EPG Binding = 10.1.100.52
App Server10.1.100.52
App EPG
Endpoint = 10.1.100.52
External EPG Name = BYOD
EPG binding = 10.1.10.220
Plain
Ethernet
(no SGT)
BYOD
SRC:10.1.10.220
DST: 10.1.100.52
SGT: BYOD
xSRC:10.1.10.220
DST: 10.1.100.52
EPG BYOD
SRC:10.1.10.220
DST: 10.1.100.52
ISE Exchanges:
SGT Name: BYOD
SGT Binding = 10.1.10.220
SGT Policy
Enforcement
ACI Leaf
Enforcement
BRKACI-2303 93
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Federation APIC to ISE: ACI EPG Policy used to Program Trustsec Policy
ACI Policy Domain
ACI Border
Leaf (N9K)
ACI Spine (N9K)
Netw
ork
La
ye
rC
on
trolle
r La
ye
r
TrustSec Policy Domain
Netw
ork
La
ye
rC
on
tro
lle
r L
aye
r
ISE
ISE Retrieves:
EPG Name: App EPG
EPG Binding = 10.1.100.52
App Server10.1.100.52
App EPG
Endpoint = 10.1.100.52
BYOD
10.1.10.220
Enterprise
Backbone
EPG Federated to TrustSec Policies
Propagated with SXP
• SGT Name = BYOD
• EPG Binding = 10.1.100.52
BYOD
SRC:10.1.10.220
DST: 10.1.100.52
SGT: BYODACI Leaf
Enforcement
Plain
Ethernet
(no SGT)SGT Policy
Enforcement
BRKACI-2303 94
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Campus Identity Scale Up Automatically Propagated into ACI Data Center
ISE Controller
User 1
User 1000
SGT Binding Scale Up
APIC dynamically learns
Scale Up User Bindings in Campus
ACI Data Center
BRKACI-2303 95
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI App Scale Up Automatically Propagated into Campus ISE Controller
ISE dynamically learns
Scale Up VM Bindings in DC
ISE Controller ACI Data Center
App Dynamic Scale Up in DC
VM1
VM1000
Trustsec Domain
BRKACI-2303 96
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
APIC Settings in ISE Controller
APIC Settings:
• Credentials
• Tenant name
• L3out
BRKACI-2303 97
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE TrustSec SGT Policy Federated to APIC as External EPGs + Bindings
External EPGs Bindings
BRKACI-2303 98
Design Practices
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKACI-2303
Design Practices
• Manual EPG Stitching
• Partial Automation
• Full Automation
• Design Example
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• APIC defines Tenants
• EPG is VLAN/Subnet
• Fabric GW/Routing
• No Device Package
• ‘Happier’ SecOps
• Orchestrate it ALL!
• Vendor Device Package
EPG
Web
EPG
App
EPG
DB
EPG
Web
EPG
App
EPG
DB
Unmanaged Service Graphs
EPG
Web
EPG
App
EPG
DB
Managed Service Graphs
Manual EPG Stitching Partial Automation Full Automation
APIC in Control
BRKACI-2303 101
ACI L2 Fabric
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SECURITY Admin
102BRKACI-2303
Manual EPG Stitching
Allow flexibility to enable ACI fabric for EPG management, and attach
security directly into EPGs.
Network Admin
• Firewalls managed separately from APIC by security team.
• Service attaches to EPG / VLANs / PGs and serves as a host gateway to steer traffic.
• Creation of EPG segments still done on APIC, EPs are virtual machines or physical servers.
• Firewalls control traffic flows between EPGs.
• Firewalls are GWs and peer with external routers
• Northbound API to script full Tenant network creation
EPG
Web
EPG
App
EPG
DB
EPG
Out
No Device Package
ACI L2 Fabric
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Partial Automation
Customers enable full ACI fabric benefits with out forcing a device package.
No Device Package
BRKACI-2303 103
SECURITY Admin
Network Admin
• Firewalls managed
separately from APIC by
security team.
• Virtual appliance data plane
vNICs get attached to
proper PGs via APIC.
• Physical appliance attaches
to the given fabric ports and
must match VLANs.
• Creation of EPG segments
still done on APIC, EPs are
virtual machines or physical
servers.
• Contract is between EPGs
and adds unmanaged
Service Graphs
EPG
Web
EPG
App
EPG
DB
Unmanaged Service Graphs
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Full Automation
EPG
Web
EPG
App
EPG
DB
Leverage the full benefits of ACI fabric with ability to program L4-L7 using
device package.
Managed Service Graphs
BRKACI-2303 104
SECURITY Admin
Network Admin
With Device Package
RBAC
• Firewalls managed within
APIC GUI. Security team
can now program L4-L7
Function Profiles.
• Physical appliance attached
to fabric and APIC
configures DP with
matching VLANs.
• Virtual appliance data plane
vNICs get attached to
proper PGs via APIC.
• Creation of EPG segments
done on APIC, EPs are
virtual machines or physical
servers.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
FW Admin
to Configure
Device
Service Insertion
Appear in
Object
Model
Use EPG Stitching
No Service Graph
Health &
Statistics
Visibility in
ACI
Use Orchestration
Use Managed
Service Graph
Use Future version of
Service Graph
(with FMC/BigIQ)
Use Unmanaged
Service Graph
Service Insertion Decision Flowchart
yes
no yes
no
yes
no no
yes
BRKACI-2303 105
APIC managing
Via 3rd party Controller
(FMC/BigIQ)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 106BRKACI-2303
Example: Tenant DesignTenant Common
Te
na
nt
Pro
d
VRF
Zone-1
VRF
Zone-3
VRF
Zone-4
VRF
Zone-2
Tenant ManagementTe
na
nt
Pre
Pro
d
VRF
Zone-1
VRF
Zone-3
VRF
Zone-4
VRF
Zone-2
Te
na
nt
De
vTe
st
VRF
Zone-1
VRF
Zone-3
VRF
Zone-4
VRF
Zone-2
VRF
Zone-1
VRF
Zone-2
VRF
Zone-3
VRF
Zone-4
VRF
Zone-1
VRF
Zone-2
VRF
Zone-3
VRF
Zone-4
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 107BRKACI-2303
Example: Tenant Firewall Insertion
Te
na
nt
Pro
d
Prod Firewall
Context
L3-Out
L3-Out
L3-Out
L3-Out
ACI Network
VRF
Zone-1
VRF
Zone-3
VRF
Zone-4
VRF
Zone-2
Ten
an
t C
om
mo
n
Outside
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 108BRKACI-2303
Example: Tenant Design
Tenant
APP1
uEPG
DB1
uEPGC C
Bridge
Domain-2
Zone-2 VRF
WEB2
EPG
APP2
EPG
DB2
EPG
DB3
EPG
Zone-1 VRF Zone-3 VRF
Bridge
Domain-3
Bridge
Domain-4
Bridge
Domain-5
Bridge
Domain-1
C C
ANP-1 ANP-2 ANP-3ASAv ASAv
Firepower
9300
VRF-1 VRF-2 VRF-3
WEB1
uEPG
10.1.1.1/24
10.254.1.1/29
10.1.2.1/24 10.1.3.1/24 10.1.4.1/24 10.1.5.1/24
10.254.2.1/2910.254.3.1/29
10.254.4.1/29
L3Out L3Out L3Out
C C C
Conclusion
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Conclusion
• Security Architecture: A phased approach to build security solution
• Secure Fabric: ACI Embedded Security
• Role Based Access Control: The Principle of Least Privilege
• Segmentation for Security: Reduce Attack Surface, Limit Exposure
• Visibility: If you can not see, you can not defend
• Implementing Advance Security: Layard Security with Advanced Controls
• Design Practices: Complexity is Enemy of Security
110BRKACI-2303
We Securely Connect Everything to Make Anything Possible
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.
BRKACI-2303 112
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
BRKACI-2303 113
Thank you
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Cisco Education OfferingsCourse Description Cisco Certification
CCIE Security Expert Level certification in Security, for comprehensive understanding of security
architectures, technologies, controls, systems, and risks.
CCIE® Security
Implementing Cisco Edge Network Security Solutions
(SENSS)
Implementing Cisco Threat Control Solutions (SITCS)
Implementing Cisco Secure Access Solutions (SISAS)
Implementing Cisco Secure Mobility Solutions
(SIMOS)
Configure Cisco perimeter edge security solutions utilizing Cisco Switches, Cisco
Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls
Deploy Cisco’s Next Generation Firewall (NGFW) as well as Web Security, Email
Security and Cloud Web Security
Deploy Cisco’s Identity Services Engine and 802.1X secure network access
Protect data traversing a public or shared infrastructure such as the Internet by
implementing and maintaining Cisco VPN solutions
CCNP® Security
Implementing Cisco Network Security (IINS 3.0) Focuses on the design, implementation, and monitoring of a comprehensive
security policy, using Cisco IOS security features
CCNA® Security
Securing Cisco Networks with Threat Detection and
Analysis (SCYBER)
Designed for security analysts who work in a Security Operations Center, the
course covers essential areas of security operations competency, including event
monitoring, security event/alarm/traffic analysis (detection), and incident response
Cisco Cybersecurity Specialist
Network Security Product Training For official product training on Cisco’s latest security products, including Adaptive
Security Appliances, NGIPS, Advanced Malware Protection, Identity Services
Engine, Email and Web Security Appliances.
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]
BRKACI-2303 116
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Center / Virtualization Cisco Education OfferingsCourse Description Cisco Certification
Introducing Cisco Data Center Networking (DCICN);
Introducing Cisco Data Center Technologies (DCICT)
Learn basic data center technologies and skills to build a
data center infrastructure.
CCNA® Data Center
Implementing Cisco Data Center Unified Fabric (DCUFI);
Implementing Cisco Data Center Unified Computing (DCUCI)
Designing Cisco Data Center Unified Computing (DCUDC)
Designing Cisco Data Center Unified Fabric (DCUFD)
Troubleshooting Cisco Data Center Unified Computing
(DCUCT)
Troubleshooting Cisco Data Center Unified Fabric (DCUFT)
Obtain professional level skills to design, configure,
implement, troubleshoot data center network infrastructure.
CCNP® Data Center
Product Training Portfolio: DCNMM, DCAC9K, DCINX9K,
DCMDS, DCUCS, DCNX1K, DCNX5K, DCNX7K
Gain hands-on skills using Cisco solutions to configure,
deploy, manage and troubleshoot unified computing, policy-
driven and virtualized data center network infrastructure.
Designing the FlexPod® Solution (FPDESIGN);
Implementing and Administering the FlexPod® Solution
(FPIMPADM)
Learn how to design, implement and administer FlexPod
solutions
Cisco and NetApp Certified
FlexPod® Specialist
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]
BRKACI-2303 117