Brkaci 2301
Brkaci 2301
Brkaci 2301
Andy Sholomon
@asholomon, Principal Engineer – DC Switching
Session Objectives
• Provide an overview of what we mean when we talk about
implementing Micro Segmentation
• Describe the ACI features that help deploying Micro Segmentation
• Deep dive on what you can do with Micro EPGs and ACI contracts
• Provide ideas of how to use these features
• Show these features working on simple yet practical examples
• Show an example of Tetration and explain how it can work with ACI
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Some comments about this deck
• We will cover some of the topics via examples and showing demos
• In the deck there are links to the code and videos of the demos
• Some slides are provided for your reference only, we may not talk through them.
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKACI-2301
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda
• Micro Segmentation Fundamentals
• Endpoint Identity Using EPGs and Micro EPGs (uEPG)
• ACI Contracts for Policy Definition
• Improvements in Hardware Utilization
• ACI and Hybrid Cloud Security
• Demo
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
What do we mean by
Micro Segmentation?
Why Micro Segmentation?
DC Perimeter
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Security Risk: VMs or Servers on a Single Subnet
Web Servers
172.16.20.11 172.16.20.12
VM4 VM5
App Servers
172.16.30.11 172.16.30.12
VM6 VM7
DB Servers
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Security Risk: VMs or Servers on a Single Subnet
App Servers
172.16.30.11 172.16.30.12
VM6 VM7
DB Servers
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
A Micro Segmentation Use Case
172.16.10.0/24
Prod QA Dev
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Another Micro Segmentation Use Case
172.16.10.0/24
Web App DB
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Micro Segmenting in an Heterogeneous Data Center
Campus
and Many different types of workloads running in a Data Center
Branch Users
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Micro Segmenting in an Heterogeneous Data Center
Virtualized w/ Virtualized w/
KVM Microsoft
Campus
and
Branch Users
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Micro Segmenting requires granularly grouping endpoints,
and defining and enforcing policy between them
Sales
Contractor
Policy Enforcement
16
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Key Functions to Achieve Micro Segmentation
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Enforcement Points
Host-based - Centrally manage host-based firewalls
• Pros: distributed, network independent, very granular policies possible, process-
level visibility and correlation
• Cons: Guest-OS dependent
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Cisco Tetration – cloud workload protection
Real time
Thousands of
workloads
On premises
Micro
Segmentation
Data Leakage
Detection
and public
and cloud
ADM
All types of
Integrity workloads
from
Vulnerability Management
Exploit
Assessment (process, file)
Detection
(Spectre / mainframes to
Meltdown) containers
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
ACI implements distributed network policies
• Contracts define Layer2-Layer4
security policies.
• ACI distributed security policies are
implemented at different
enforcement points:
- Leaf: hardware based, no External
L2/L3
performance penalty.
- vSwitch (i.e. OVS, AVE): closest
to VM, stateful connection vSwitch vSwitch w/OpFlex
tracking
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
You can combine both host-based and
network-based for tiered-security and
operational reasons
(SecOps vs. NetOps vs. DevOps).
Learn more: BRKACI-2010 - Tetration and ACI: Better Together
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
ACI RBAC
ACI Configuration Management
• ACI has 3 ways to manage the CLI WEB UI API
entire DC fabric; on and off prem
1. Web UI LDAP/AD AUTHORIZATION
RADIUS
2. CLI TACACS+
APIC-Local USER
3. API User to Roles/Domains
Mapping
Roles Domains
• All three methods are secured by What the user can do Where the user can do it
RBAC (Role Based Access ACI Anywhere
Control) and allow granular multi Remote Leaf / Virtual PoD APIC / Multi-Site Multi-Cloud Extensions
flexibility
• For example, if desired, your “Dev Remote Location On Premises Public Cloud
Tenant” admin cannot see or
Security Analytics Policy
configure your “Prod tenant” Everywhere Everywhere Everywhere
ACI RBAC Roles are very granular
ACI RBAC Roles are very granular
With the granular RBAC
capabilities there is a
capacity to split
roles/responsibilities for
users
Agenda
• Micro Segmentation Fundamentals
• Endpoint Identity using EPGs and Micro EPGs (uEPG)
• ACI Contracts for Policy Definition
• Improvements in Hardware Utilization
• ACI and Hybrid Cloud Security
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
But before we talk about Micro EPGs
… a quick refresher on the ACI
policy model and endpoint domains
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
So What’s an Endpoint Group (EPG)?
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Communication Between EPGs
By default:
To allow EPGs to speak with each other we connect them using contracts
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Remember…that’s the
default behavior. It can
be changed.
ALLOW ALLOW
ALLOW
TCP/443
TCP/3306 TCP/8080 Web Tier is VM
DB Tier is running
based. Load
in bare metal.
balancer required.
LB
App Server Tier Web Server Tier
(Virtual Machines) (Virtual Machines)
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Contracts
WAN Contract
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Understanding Fabric Domains (contd.)
• Fabric domains also help APIC manage the allocation of certain
resources for different types of endpoints:
• Encapsulation pools: VLAN and VXLAN
• Address pools: IP Multicast address pools
• Security Domains
• Ports associate to the Domains via Attachable Entity Profile (AEP)
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Virtual Machine Manager (VMM) Domains for
Hypervisor Integration
API Relationship is formed between APIC and
vCenter RHV-M Virtual Machine Manager (VMM)
API APIC obtains virtualization inventory,
performs virtual and physical correlation
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
Multiple VMMs supported on a single ACI
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
Fabric simultaneously
VMM Domain 1 VMM Domain 2 VMM Domain 3 VMM Domain 4
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Containers / PaaS Integration with ACI CNI Plugin
Integration with kubeapi server, APIC
obtains inventory of nodes and Kubernetes
objects.
API
ACI CNI Plugin Implements:
Distributed OVS Load Balancer for ClusterIP
services.
Learn more: BRKACI-2505- Deploying Kubernetes in the Enterprise with Cisco ACI
BRKACI-3330 - Openshift and Cisco ACI© 2019
BRKACI-2301 Integration
Cisco and/or its affiliates. All rights reserved. Cisco Public 37
The ACI Network and Policy Model in one slide
Tenant – AcmeCo
VRF – MyVRF
Contracts
Bridge Domain – MyBD
Subnet/SVI
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Three approaches to using EPGs in ACI
Create a BD and one EPG Create one EPG for each New Apps and Legacy
for each existing VLAN. application Tier. Apps share the same
Fabric.
Common strategy to lift- Flat-network design, many
and-shift traditional apps can share a single Tenant and VRF sharing.
configurations. BD.
or
Simpler for migration, Fantastic for GreenField
complex for Micro and automated Dedicated Tenant/VRF and
Segmentation. deployments. leaking.
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
A common network-centric example with
BD/EPG = VLAN
Tenant – AcmeCo
VRF – MyVRF
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Micro EPGs allow the fabric
administrator to group endpoints based
on their attributes.
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Understanding Micro EPGs Base EPG based on port
and encapsulation (i.e
VLAN or VXLAN)
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Understanding Micro EPGs Base EPG based on port
and encapsulation (i.e
VLAN or VXLAN)
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Understanding Micro EPGs
• A MicroEPG (uEPG) is equivalent to a
EPG GREEN
regular EPG for all purposes, but
classification is based on endpoint
attributes (and dynamic in nature)
BM-02 VM-01
• Endpoints assigned to the uEPG 10.10.10.12
f4:5c:89:b2:ab:cd
10.10.10.13
BM-01
10.10.10.11
f4:5c:89:b2:bf:cb
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
The actual classification possibilities
depend on the type of endpoint Domain.
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
For endpoints connected to
Physical Domains (bare metal) you can
classify based on IP or MAC addresses.
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Example: PhysDom (Bare Metal) with IP Address uEPG
IP Micro EPGs considerations on PhysDoms
• Base EPG must be configured and deployed to program VLANs on leaf
host ports
• Base EPG & IP uEPG must associate with same BD and the BD MUST
have an IP subnet configured.
• IP uEPG must be deployed an all the nodes where the BD is deployed by
using node attachment
• Deployment Immediacy must be “Immediate”
• You can specify individual IP addresses and/or subnets (i.e. 10.10.10.1,
10.10.10.0/24)
Software Dependency: 1.2(x)
Hardware Dependency: E-Series or newer
Caveat: bridged traffic will NOT be enforced based on the IP-EPG classification
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
PhysDom (Bare Metal) with IP Address uEPG
– Configuration [1/2]
1. Define uEPG and map to the same PhysDom and BD as Base EPG
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
PhysDom (Bare Metal) with IP Address uEPG
– Configuration [2/2]
3. Define the IP address and/or list of IP addresses to match on
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
For endpoints connected to
VMware and Microsoft VMM Domains you can
use the IP, MAC or VM-attributes.
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
vSphere with VDS
Micro EPG Support with vSphere VDS
1. Start with Base EPG, enable MicroSeg
Must be Immediate!
Must be True!
EPG GREEN
ubuntu-01 centos-01 centos-02 ubuntu-02 APIC will then
configure the
dvPortGroup as an
isolated PVLAN
GREEN GREEN
(v-3012/3019) (v-3012/3019)
Policy Enforcement
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
vSphere with VDS
Micro EPG Support with vSphere VDS
1.1 Base EPG is working as normal EPG
EPG GREEN
ubuntu-01 centos-01 centos-02 ubuntu-02
Proxy-ARP enabled.
Policy Enforcement
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
vSphere with VDS
Micro EPG Support with vSphere VDS
2. Configure uEPG based on attributes
1. Define uEPG and map to the same VMM Domain and BD as Base EPG
Must be Immediate!
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
vSphere with VDS
Micro EPG Support with vSphere VDS
2. Configure uEPG based on attributes
2. Configure the required attributes
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
vSphere with VDS
Micro EPG Support with vSphere VDS
3. VM is classified according to attributes
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Micro EPG Support with
vSphere VDS – Summary
Micro EPG Considerations on vSphere VDS
• Under base EPG you must enable micro segmentation for vDS. This is only required if
using uSeg with VDS.
• When EPG is mapped to VMM domain, it will change vDS and port-group
configuration: PVLAN will be enabled.
• Port-group uses secondary VLAN (isolated), which is same with intra-EPG isolation.
• Proxy-ARP is automatically enabled on base EPG (this is only supported in EX-
models)
• PVLAN configuration is only to force all traffic to flow through Leaf.
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
ACI Doing Segmentation With Attributes
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
uEPGs with Attributes and Logical Operators
- GUI Configuration (1/2)
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
uEPGs with Attributes and Logical Operators
- GUI Configuration (2/2)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
With Kubernetes Domains
classification does not use
micro EPG.
We use regular EPGs selected using
native semantics
(Kubernetes annotations).
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Using annotations to specify the EPG for a set
of Kubernetes PODs
• Provide isolation beyond using Kubernetes Network Policies
• Opflex annotation can be applied at POD, Deployment or namespace
level
• Priority of annotations goes from less specific to more specific
1. Pod annotation
2. Deployment annotation
3. Namespace annotation
4. Namespace group mapping from controller config file
5. Global default group from controller config file
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
ACI allows flexible POD to EPG mapping K8s
Network
Policy
• Default behavior: single EPG for • Each namespace mapped to an • Each deployment mapped to an EPG
entire cluster user PODs EPG • Contracts control traffic between
• No need for internal contracts • Contracts for inter-namespace microservice tiers
traffic are required
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Agenda
• Micro Segmentation Fundamentals
• Endpoint Identity using EPG and micro EPG (uEPG)
• ACI Contracts for Policy Definition
• Improvements in hardware utilization
• ACI and Hybrid Cloud Security
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
By default communication between EPGs is not allowed
in absence of contracts
Without contracts, by
default there is no
communication
between groups
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
By default communication between EPGs is not allowed
in absence of contracts
any,tcp/8080
any, tcp/80
Contract: Blue-to-Green
Scope: VRF
CONSUMES
PROVIDES
Subject: AppTraffic
Both Directions: True
BM-01 VM-02 VM-03 BM-04
Reverse Port Filters: Yes
10.10.10.11 10.10.10.12 permit tcp/80 10.10.10.13 10.10.10.14
permit tcp/443
EPG BLUE EPG GREEN
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Demo: Creating a filter and contract
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
What about applying
policy within an EPG.
Denying all traffic between EPs in the same EPG
is easy
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
You can restrict all traffic inside a group using
Intra EPG isolation
• Supported on PhysDoms, VMware VMM domain using VDS (it also works
with AVS, AVE) (*)
• Since ACI 3.0 Microsoft VMM domain also supports intra EPG isolation.
• Can be configured on EPG and uEPG (**)
• It’s supported with EX and FX, and later, leaf models.
• We use Proxy-ARP – required to reach other EPG in the same subnet
• We utilize PVLAN integration already present for VDS intra EPG isolation.
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Contracts can also apply for Intra-EPG
communications (since ACI 3.0)
• It is possible to assign contracts to
restrict traffic internal to an EPG
• It can be enabled on both EPG and uEPG
• It supported with PhysDoms and VMware
VMM Domains
• IntraEPG contracts require using proxy-
arp. This means it is only supported on
EX/FX switches or newer.
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Intra EPG Security Feature Overview
How does it work for 2 VMs on the same ESXi Host?
VDS implementation:
1- We enable Intra-EPG Security TCP 22 allow
Deny all
Apply Intra-EPG Contract
2- APIC configures a PVLAN for the
EPG/portgroup on vCenter with the TOR APIC Proxy
setup as the promiscuous port Controller
ARP
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
IntraEPG Contract Use Case
– service vNIC used for mgmt in a clustered App
Example: a clustered web application. The jump host must be able to access all endpoints
and you cannot use IntraEPG Isolation because the required protocols must be allowed
between the VM inside the dvPortGroup.
EPG JumpHost
Contract: Zookeeper
10.90.90.15
Subject: Allow Zookeeper
TCP/2181
TCP/2888 Web-Tier PorGroup (BaseEPG)
TCP/3888
(PVLAN 2300/2301)
intraEPG VM VM
Subject: Allow-any-ip
10.10.40.11 10.10.40.11 Any IP
web-prod-aci-01 web-prod-aci-02
app1-web
Only Zookeeper ports (uEPG)
allowed between VMs
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Contracts also allow inserting services, like Next
Generation Firewalls, ADC, IPS/IDS, etc.
You can insert an NGFW, or Note: Service Graph between
a LB by attaching a Service Micro EPGs requires 3.2 or higher
Graph to the contract
subject
Contract: Blue-to-Green
Scope: VRF
Subject: AppTraffic
Both Directions: True
CONSUMES
PROVIDES
Reverse Port Filters: Yes
permit tcp/80
BM-01 VM-02 permit tcp/443 VM-03 BM-04
10.10.10.11 10.10.10.12 10.10.10.13 10.10.10.14
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
vzAny allows you to configure contracts that
apply for all EPG in a VRF
Tenant VRF1
• vzAny represents the collection of EPGs
that belong to the same VRF, including L3 BD1
external.
EPG1
• Instead of associating contracts to each
individual EPG you can configure a contract
EPG2
to the vzAny
vzAny
• With cross-VRF contracts, vzAny can be a BD2
consumer, not provider EPG3
• Since ACI 3.2 it can also be used with
Service Graphs EPG4
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Taboo Contracts
• Taboo are special type of contracts that will be applied to individual EPGs
• They deny a set of ports on the EPG to which the taboo contract is applied
• For instance you can say EPG Frontend does not allow tcp/445
• Taboo filters will override regular contract filters
I am not allowing any traffic
to TCP/445 regardless of
what other contracts say!
FRONTEND
BM-01 VM-02
10.10.10.11 10.10.10.12
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Blacklist (Deny) Contracts – Introduced with ACI 3.2
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Blacklist Contracts implement Deny Filter Rules
• Since 3.2, the subject filter attachment has one additional attribute action
• Action = permit, default to keep existing behavior
• Action = deny, causes rules for these filters to switch to deny (drop)
• Now subject filters will have different priorities to determine precedence:
• Default Values:
• Level 1 – lowest priority corresponding to any-to-any filter rules
• Level 2 – medium, corresponds to src-to-any/any-to-dst filter rules
• Level 3 – highest, corresponding to src-to-dst filter rules
Or to put it more simply…the most specific rule has highest priority
• Administrator is given a choice to override default priorities.
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Simplifying Contract Configurations with
EPG Contract Inheritance
• Objective: simplify policy configuration
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Example: EPG_A has three contract relations
Contract_DNS Contract_SSL
Contract_Internet
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
EPG_B is configured to inherit from EPG_A
Contract_DNS Contract_SSL
Contract_Internet
Contract_DNS Contract_SSL
Contract_Internet
Contract_DNS Contract_SSL
Contract_Internet
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contract Policy Enforcement can be enabled or
disabled at VRF level
• Policy Enforce: no communication without contracts
• Policy Unenforced: all communication allowed A binary configuration,
policy is either ON or OFF
for all EPG in the VRF
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Enabling Enforcement at VRF Level
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Contract Preferred Group Example
Inside the
Preferred Group there VRF – MyVRF
is unrestricted
communication Preferred Group
EPG-2
Contract-2
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Contract Preferred Group Example
VRF – MyVRF
Preferred Group
EPG-3
EPG-2
Contract-2
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Enabling Preferred Groups Is Easy
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Contract Logging – Denied Packets
Logging Deny ACL deny not logged by default:
Fabric -> Fabric Policies -> Policies -> Monitoring -> Common Policy -> Syslog
• ACI can log implicit deny hits Message Policies -> Default -> Change ‘default’ to ‘info’
• For Bare Metal, VMware VDS and MSFT Domains
logs generated by Leaf
• For AVS logs may be generated on Leaf or vLeaf MySQLAccess
•
CONSUMES
For OpenStack ML2 mode, logs configured external to
PROVIDES
Subject: DB-Traffic
the fabric at the host Filter: Action:
• Syslog is exported according to monitoring policies icmp allow
VM-02 tcp/3106 allow VM-03
and configured External Data Collectors 10.10.50.101 10.10.10.200
• Logs include Tenant/VRF, EPG VLAN encap,
ingress interfaces and offending packet details SIP:10.10.50.101 DIP:10.10.10.200 Proto: 6 sPort:54135 dPort:125
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Contract Logging – Permitted Packets
Permit log configured at the
subject on a per filter basis.
Logging Permit
• Permit logging is configured per Filter
• For Bare Metal, VDS and MSFT Domains logs
generated by Leaf
• For AVS logs may be generated on Leaf or vLeaf MySQLAccess
• For OpenStack ML2 mode, logs configured external
CONSUMES
PROVIDES
to the fabric at the host Subject: DB-Traffic
Filter: Action:
• Syslog is exported according to monitoring icmp allow
VM-02 log
policies and configured External Data 10.10.50.101 tcp/3106 allow log
VM-03
10.10.10.200
Collectors
• Logs include Tenant/VRF, EPG VLAN
SIP:10.10.50.101 DIP:10.10.10.200 Proto: 1 sPort:0 dPort:0
encap, ingress interfaces and offending
packet details
• Software Dependency: 2.2(1n) or higher
• Hardware Dependency: requires EX models or newer
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
You can also see logs under the tenant
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
A quick work about
contracts in ACI Multi-
Site
ACI Multi-Site
Inter-Site Policies and ’Shadow Objects’
IP
Network
DP-ETEP A DP-ETEP B
Inter-Site policies defined on the S2 S3 S4 S5 S6 S7 S8
S1
Multi-Site manager are pushed to
ACI Multi-Site
the respective APIC domains Orchestrator
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Agenda
• Micro Segmentation Fundamentals
• Endpoint Identity using EPG and micro EPG (uEPG)
• ACI Contracts for Policy Definition
• Improvements in hardware utilization
• ACI and Hybrid Cloud Security
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
While for most use cases hardware
resource exhaustion for policy
enforcement is never going to be a
worry…you can have 128K policy
TCAM entries on a single FX*
switch.
We have added a few new features
for the very heavy policy users.
*Amount of TCAM depends on the switch type
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Bi-Directional Compression added in ACI
Release 3.2
• Before 3.2 release, if the same contract was consumed and provided between
the same EPGs, that would result in 2 TCAM entries being programmed in HW.
One for consumer to provider and the other for provider to consumer
• When rules are compressed they lose per direction statistics. Given that, the
user has a choice to configure compression (TCAM savings) at the cost of
statistics.
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Oversimplified Look TCAM Entries Before 3.2
Contracts
Entry 2 EPG1
Any-Any
EPG2
EPG1 EPG2 Replicates a
Traditional Switch
Any-Any
Replicates a
Traditional Switch
Entry 1 EPG1
Any-Any
EPG2
Replicates a
Traditional Switch
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Criteria for Bi-directional TCAM Compression
• Only the contracts which follow the below guidelines will become candidates of
bi-directional compression.
• Contract->subject->apply-both-direction
• Contract->subject->reverse-filter-ports
• Contract->subject->filter-group->no-stats
• Fully qualified rules
• Action: permit or permit+log
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Policy Compression via Indirection In ACI 4.0
• All provider-consumer EPG pair refer to same set of rules in the policy CAM
• No statistics for these compressed rules
• This built-in HW support allows improving zonerule scale.
1st Stage: Policy 2nd Stage: Policy
Group Label Lookup Hash TCAM Lookup
Consumer sclass dclass PG-Label PG-Label Protocol sport dport
EPG2 EPG1 EPG2 10 10 tcp * 443
EPG1 EPG3 10
10 tcp * 80
Provider EPG1 EPG4 10
EPG1 Consumer
EPG3
Filter
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Contract Configuration Snapshot
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Checking Filter/Contract Capacity on the
Dashboard
Operations->Capacity Dashboard->Leaf Capacity
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Agenda
• Micro Segmentation Fundamentals
• Endpoint Identity using EPG and micro EPG (uEPG)
• ACI Contracts for Policy Definition
• Improvements in hardware utilization
• ACI and Hybrid Cloud Security
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
ACI Anywhere - Vision
Any Workload, Any Location, Any Cloud
ACI Anywhere
Remote Leaf / Virtual PoD APIC / Multi-Site Multi-Cloud Extensions
IP IP
WAN WAN
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Futures
ACI Hybrid-Cloud Deployment Model
ACI Multi-Site Hybrid Cloud:
Appliance
• AWS in Q2-CY19
• Azure in Q3-CY19
Site B
AWS Integration
Site A is in EFT with several customers
Site D
today
VM VM VM
VM VM VM
ACI – On Premise
VM VM VM
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Policy Mapping – AWS
Identity and Access
AAA Users, Security Domains
Management (IAM)
Region Pod
Internet Gateway,
VPN Gateway, Border Leaf, Spine (Internal and
External connectivity)
Direct Connect,
CSR1000V
Inter Region VPC Peering Inter POD Connectivity
Direct Connect Gateway
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
For your info
& reference
Network Adapter
End Point Learning on AWS
Multi-Site Orchestrator (MSO)
On-Premises Public Cloud
Site B • User deploys a new
Region 1
instance in AWS
• AWS config services
Infra VPC
notifies the event to cAPIC
AWS config
• cAPIC learns the endpoint
CSR CSR
services and registers it
• Based on the policies
Site A AZ-1 AZ-2
IPSec Tunnel
(EPG’s and Contracts) the
IPSec Tunnel VGW
correct security group
VGW (SG) is attached to the
instance
IP
Network
EPG EPG EPG
Contract Contract
Web APP DB
SG SG SG
SG Rule SG Rule
Web APP DB
AWS Region
VM VM VM
SG SG SG
SG Rule SG Rule
Web APP DB
IP
Network
EPG
Contract
EPG
Contract
EPG AWS Region
Web APP DB
IP
Network
VM VM VM ASG ASG ASG
NSG NSG
Web APP DB
Azure Region
• Web-EPG has
endpoints across
Us-East-1 & Us-West-
1 regions and multiple
subnets
Subnet-S1 – 10.1.1.0/24 Subnet-S3 – 10.1.3.0/24
• DB-EPG associated to
tag: “EPG:DB”
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Instances in a VPC and on-Premises
Multi-Site Orchestrator (MSO)
For traffic from Instances in a
On-Premises Public Cloud VPC to on-premises, traffic
Site B
Site A reaches CSR in Infra VPC
BGP EVPN
Control Plane AWS Region 1 and goes over the VXLAN
tunnel to the ACI spines on-
CSR CSR
premises
VXLAN TUNNEL
(DATA PLANE)
EPG-1
VM SG-1 SG-1 SG-2 SG-3
App: CL-Demo-App-1
EPG: CL-Base-EPG
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Demo
Tenant: CL-Demo
App: CL-Demo-App-1
EPG: CL-Base-EPG
Classify by VM Name Classify by IP Address Classify by TAG
10.99.1.10 10.99.1.11 10.99.2.10 10.99.2.11 10.99.3.10 10.99.3.11
CL-Base-EPG
Web Web App App DB DB
1 2 1 2 3 2
Web-App-DB-BD
10.99.1.1/24
10.99.2.1/24
10.99.3.1/24 Web App DB
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Summary
ACI enables micro segmentation that
you can deploy in a gradual and
flexible way. Use the right tool or
feature for your use case...
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
You can use static configurations
using the GUI or the NX-OS CLI …
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
… and you can use orchestration or
configuration management tools...
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKACI-2301
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Continue Your Education
BRKACI-2301 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Thank you