《以應用為中心的設計:如何借助思科 ACI 實現目標.pdf》由會員分享,可在線閱讀,更多相關《以應用為中心的設計:如何借助思科 ACI 實現目標.pdf(88頁珍藏版)》請在三個皮匠報告上搜索。
1、#CiscoLive#CiscoLiveRobert Burns Technical Solutions Architect,CISG COECCIE#37856BRKDCNBRKDCN-26582658How to get there with Cisco ACIHow to get there with Cisco ACIApplication Centric DesignApplication Centric Design 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter yo
2、ur personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will
3、 be moderated by the speaker until June 9,2023.1234https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKDCN-26583 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCompanion Sessions Week at a GlanceMonday TuesdayWednesdayThursdayACI GeneralSecurity Re
4、latedBRKDCN-1601Introduction to ACI(8am-9am)BRKDCN-2984ACI:The Foundation of an Internal Private Cloud(10:30am-12pm)BRKDCN-2949ACI Multi-Pod Design and Deployment(1pm-2:30pm)BRKDCN-3930Defense in Depth Security for Multi-Cloud Data Centers(3pm-4:30pm)BRKDCN-3900A Network Engineers Blueprint for ACI
5、Forwarding(1pm-2:30pm)BRKDCN-3678ACI Troubleshooting:Advanced L3out Features(8am-9am)DEVNET-3005Application-Driven Networking with Consul-Terraform-Sync and Cisco ACI(10am-10:45am)BRKAPP-1624New Innovations in Application Security(9:30am-10:30am)BRKSEC-1139Application Security The Final Frontier(10:
6、30am-11:30am)BRKSEC-2008Zero Trust-Theory to Implementation(10:30am-12pm)BRKDCN-2938Secure Firewall in ACI(1pm-2:30pm)BRKSEC-2176Keeping up with Zero Trust(8:30am-10am)BRKSEC-1773How to Build Secure Mult-Cloud with Secure Workload(2:30pm-3:30pmBRKDCN-3982ACI L4-L7 PBRDeep Dive and Tips3pm-4:30pmBRKD
7、CN-2626ACI Troubleshooting with Nexus Insights(2:30pm-3:30pm)BRKDCN-2127Making Secure Firewall Threat Defense with Attribute Based Policy(9:30am-10:30am)BRKDCN-26584 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivewhoamiBRKDCN-26585 2023 Cisco and/or its affiliates.All rig
8、hts reserved.Cisco Public#CiscoLiveSource:ITRC 2022 Data Breach ReportIn 2022,there were an average of 7 breach notices issued each business dayBRKDCN-26586 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSession ObjectivesUnderstand the Need for Increased Security in the
9、Data CenterDifferentiate between Network&Application Centric DesignReview some of the Security Tools available with Cisco ACIShare some tips to advance the journey towards App Centric DesignHidden Slides included in downloaded presentation denoted withBRKDCN-26587 2023 Cisco and/or its affiliates.Al
10、l rights reserved.Cisco Public#CiscoLiveAcronym DecoderEP-EndpointEPG Endpoint GroupESG Endpoint Security GroupExG General reference for both EPG and ESGuSeg-MicroSegmentuEPG MicroSegment Endpoint GroupBD Bridge DomainVMM Virtual Machine Manager(ie.vCenter,SCVMM)BRKDCN-26588Agenda 2023 Cisco and/or
11、its affiliates.All rights reserved.Cisco PublicWhat and Why-App Centric Design&Zero TrustChallenges/Obstacles Available ACI Security FeaturesApplication Segmentation&Putting it all TogetherRecommendations&Case StudyBRKDCN-26589 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoL
12、iveApp Centric DesignZero Trust is a journeyDifferent Environments have different requirementsFew Customers go all-in from Day1Any level of improved security is beneficialNever too late to start!Its about Continuous ImprovementVisibilityAutomation&BeyondIntelligent Fabric SecurityBRKDCN-265810 2023
13、Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveImportance of Application SegmentationPerimeter security is not enoughIf breached,lateral movement can allow attackers to compromise additional assetsSegmentation improves security improves security inside the DCMicro-Segmentation
14、 can minimize the size of the segments can minimize the size of the segments and provide lesser exposure for lateral attacksBRKDCN-265811 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACIs Path to Improved SecurityBRKDCN-265812 2023 Cisco and/or its affiliates.All rights
15、 reserved.Cisco Public#CiscoLiveApplication Security Enforcement PointsHostHost-basedbased-Centrally manage host-based firewallsPros:distributed,network independent,very granular policies possiblevery granular policies possible,process-level visibility and correlationCons:Guest-OS dependent,Agent-ba
16、sedNetworkNetwork-basedbased-Centrally manage access rules at the network edge(Virtual Switch,Physical Switch or both)Pros:distributed,guest independent,agent-less,groupgroup-based policies for based policies for best scalebest scale,endpoint-level visibility and correlationCons:requires network har
17、dware resources(memory,TCAM,etc)for policyBRKDCN-265813 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTenant 1VRF1BD1BD2EPG1EPG2EPG3EPG4EP3-1EP3-2EP4-1EP4-2EP1-1EP1-2EP2-1EP2-2L3OUTWANRouting Domain(IP forwarding)Switching Domain(MAC forwarding)Security DomainSubnet 1Sub
18、net 2Core Router ConnectivityReview:Logical Policy in ACIBRKDCN-265814 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDo your ACI Policies look like this?Subnet AlignedCL2023_tnProd_vrfProd_ap1.1.10.0_bd1.1.10.0_epg1.1.11.0_bd1.1.11.0_epg1.1.12.0_bd1.1.12.0_epg1.1.13.0_bd
19、1.1.13.0_epg1.1.14.0_bd1.1.14.0_epg1.1.15.0_bd1.1.15.0_epgextEPGany:anyBRKDCN-265815 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOr this?VLAN AlignedCL2023_tnProd_vrfProd_apvlan10_bdvlan10_epgvlan11_bdvlan11_epgvlan12_bdvlan12_epgvlan13_bdvlan13_epgvlan14_bdvlan14_epgv
20、lan15_bdvlan15_epgextEPGany:anyBRKDCN-265816 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOr perhaps like this?VLAN AlignedCL2023_tnProd_vrfProd_apvlan10_bdvlan10_epgvlan11_bdvlan11_epgvlan12_bdvlan12_epgvlan13_bdvlan13_epgvlan14_bdvlan14_epgvlan15_bdvlan15_epgextEPGany
21、:anyvzAnyBRKDCN-265817 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEPG per Application Tier,sharing common BDIdeal for well-understood Apps and/or Flat Network deploymentsWorks well with automation toolsMost Flexible&Granular Security Increases operational complexity C
22、ombination ApproachSupports both Legacy&New Apps on same fabricIntroduces a path to an Improved Security ModelLimited increase operational complexity EPG and BD for each VLAN/SubnetMost Commonly DeployedEase of Legacy Migration,Limited SegmentationVLANs/Subnets define security groupingsDifferent App
23、roaches to EPG Design in ACIEPG/BD=VLAN/SubnetEPG=App TierHybridBRKDCN-265818ACI Security Features Toolbox 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhats in our ACI toolboxvzAnyContractsPreferred GroupsEndpoint Security GroupsIntra-EPG IsolationEndpoint GroupsFilter
24、sIntra-EPG ContractsL4-7 Service GraphsContracts InheritanceExGsBRKDCN-265820Endpoint Group 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEndpoint Group(EPG)Collection of endpoints,such as VMs,hosts,servers,physical devicesInternally represented by pcTagUse contracts to
25、communicate to other EPGsCan represent:Subnet/VLAN VMware port-group Application Tier Security zone Endpoint Group(EPG)Contracts Access ListsEPG1EPG2BRKDCN-265822 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEndpoint Group Classification Physical Domain(Port/VLAN Instan
26、ce)VMM Domain(i.e.Port-Group/VM Network)Static Attachment(EPG)Physical Domain(IP/MAC)VMM Domain(IP/MAC/VM ATTRTRIBUTE)Dynamic Attachment(uEPG)BRKDCN-265823Contracts 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveContracts ReviewTraditional access lists are built between s
27、ubnets,hosts,VLANs,MACs,and applied to interfaces in a particular direction.ACI applies security to Endpoint Groups(EPGs)or Endpoint Security Groups(ESGs)Contracts use a Provider/Consumer modelACI is a whitelist model by default.That is,only communication which is explicitly defined will be allowed.
28、Any endpoint(EP)in an ExG can communicate by default with any other endpoint inside the same ExG.When an EP needs to communicate to something outside of its ExG,a contract is requiredBRKDCN-265825 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveContract StructureContractSu
29、bject 1Filter 1Filter Entry 1Filter Entry 2(L4-7 Service Insertion/QoS)Lowest Level ACL(Port&Protocol)BRKDCN-265826 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveContract ScopeGlobalGlobal Provider/Consumer Relationships apply across all tenants (required for cross-tenan
30、t communication)Tenant Tenant-Provider/Consumer Relationships restricted within tenantVRFVRF-Provider/Consumer Relationships restricted to specific VRFs of tenantsApplication Profile Application Profile-Provider/Consumer Relationships restricted to specific AP within tenantsBRKDCN-265827vzAny 2023 C
31、isco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAny ExG in VRF=vzAnyvzAny represents the collection of EPGs/ESGs that belong to the same VRF,including L3 external.Instead of associating contracts to each individual ExG you can configure a contract to the vzAnyWith cross-VRF cont
32、racts,vzAny can be a consumer,not providerCan also be used with Service GraphsVRF1EPG1 EPG2 EPG3 EPG4 vzAnyTenantBD1BD2ESG1 BRKDCN-265829 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEPGSharedServicesEPG3vzAnyvzAny Example-Simplicity and TCAM SavingsEPG4EPG1EPG2EPG5EPGS
33、haredServicesFive TCAM Entries*One TCAM Entry*assuming a single filterBRKDCN-265830Preferred Groups 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePreferred GroupsAllows multiple different ExGs to freely communicate without the need for contractsESG1EPG2EPG3EPG4EPG5EPG6Pr
34、eferred-IncludePreferred-ExcludeVRFExGs in PG can talk to other ExGsin PG without requiring a contractExGs out of PG require contracts to talk to others ExG(either in or out PG)BRKDCN-265832 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePreferred Group-ConfigEnable Prefe
35、rred Group under VRFInclude any EPG/ESG as a Preferred Group Member 1.2a.2b.BRKDCN-265833Intra-Group Isolation(ESG/EPG)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntra-ExG isolation&Intra-ExG ContractIntra Intra IsolationIsolationCommunication between EPs within anEPG
36、/ESG not permitted.Intra Intra ContractContractOnly flows allowed in the contract are allowed between EP in EPG/ESGbackup-client(EPG)WebVMWebVMWebVMDB-cluster(EPG)WebVMWebVMWebVMCluster Sync OnlyCluster Sync OnlyBRKDCN-265835 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiv
37、eIntra-EPG IsolationGo to the EPG/ESG and select“Intra ExG Isolation”as enforcedBRKDCN-265836 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntra-EPG ContractsRight-click the EPG and add an“Intra-EPG Contract”BRKDCN-265837 2023 Cisco and/or its affiliates.All rights rese
38、rved.Cisco Public#CiscoLiveIntra-ExG Isolation&Intra-ExG ContractsConsiderations:Requires Gen2+HW&proxy-arpSupported on:Physical Domains(Baremetal Endpoints)VMware VMM vDSMicrosoft Hyper-V VMMFor VMM,PVLANs are leveragedSame applies for baremetal with intermediate switch(External Switch App can auto
39、mate this if using UCSM)BRKDCN-265838uSeg EPG(Micro EPG/Microsegment EPG)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUnderstanding Micro EPGs VM-MyApp1 10.10.100.13(OS:WIN2016)vlan100_epgBM-0210.10.100.12f4:5c:89:b2:ab:cdRegular Base Base EPG based on port and encapsul
40、ation(P,V)BM-0110.10.100.11f4:5c:89:b2:bf:cbf4:5c:89:b2:bf:cbA MicroEPG(uEPG)is equivalent to a regular EPG for all purposes,but classification is based on endpoint attributes(and dynamic in nature)Endpoints assigned to the uEPG regardless of the encapsulation/portThe endpoint must be first known to
41、 a regular EPG,called“base EPGbase EPG”BRKDCN-265840 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUnderstanding Micro EPGs A MicroEPG(uEPG)is equivalent to a regular EPG for all purposes,but classification is based on endpoint attributes(and dynamic in nature)Endpoints
42、assigned to the uEPG regardless of the encapsulation/portThe endpoint must be first known to a regular EPG,called“base EPGbase EPG”uEPG MyDBVM-MyApp1 10.10.100.13(OS:WIN2016)vlan100_epgBM-0210.10.100.12f4:5c:89:b2:ab:cdBM-0110.10.100.11f4:5c:89:b2:bf:cbf4:5c:89:b2:bf:cbDefine uEPG based on Network a
43、ttributeBRKDCN-265841 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUnderstanding Micro EPGs uEPG MyDBvlan100_epgVM-MyApp1 10.10.100.13(OS:WIN2016OS:WIN2016)BM-0210.10.100.12f4:5c:89:b2:ab:cdBM-0110.10.100.11f4:5c:89:b2:bf:cbf4:5c:89:b2:bf:cbuEPG QuarantineA MicroEPG(uEP
44、G)is equivalent to a regular EPG for all purposes,but classification is based on endpoint attributes(and dynamic in nature)Endpoints assigned to the uEPG regardless of the encapsulation/portThe endpoint must be first known to a regular EPG,called“base EPGbase EPG”Define uEPG based on VM AttributeBRK
45、DCN-265842 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAttributes for Micro-SegmentationNetwork-based attributes are applicable to both baremetal and VM workloadsVM-based attributes are applicable to VM workloads only,and requires VMM integrationNetwork-Based IP MACVM-
46、Based VMM Domain Operating System Hypervisor Identifier Datacenter VM Identifier VM Name VM Folder/Folder Path vNIC DN Custom Attribute TagBRKDCN-265843 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLogical OperatorsLogical operators OR/AND enable multiple rules to match
47、 various attributes.Rules can be combined into blocks.Blocks are sequentially matched using Logical Operators.RULE 1 AND RULE 2 AND RULE 3RULE 1 AND RULE 2 AND RULE 3RULE 1 AND RULE 2 AND RULE 3ORORMatch ALLMatch ANYBRKDCN-265844 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisc
48、oLiveLogical Operators-ExampleAny endpoints within either subnet will be matchedVMs within the VMM domain called ACI-VDS and whos name is prefixed with ProdIP Equals 1.1.1.0/24IP Equals 2.2.2.0/24VM Name Starts With ProdVMM Domain=ACI-VDSORMatch ANYMatch AllBRKDCN-265845 2023 Cisco and/or its affili
49、ates.All rights reserved.Cisco Public#CiscoLiveAttribute PrecedenceAttributeAttributePrecedencePrecedenceIP Sets1MAC Sets2VNIC(DN)3VM(ID)4VM Name5Hypervisor6Domain(DVS)7Datacenter8Custom Attribute9Guest OS10Tag11OperatorOperatorPrecedencePrecedenceEquals1Contains2Starts With3Ends With4These preceden
50、ce rules can be overwritten using the EPG Match EPG Match PrecedencePrecedence attribute in the uEPG Higher order winsBRKDCN-265846Endpoint Security Group 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat is an ESG(Endpoint Security Group)?Introduced with ACI version 5.
51、0ESG is a Security Group across BDs(EPG is across VLANs,within one BD)Uses“EP Selectors”to classify endpoints into eachBD 1192.168.1.254/24192.168.1.11WebServer1VRF AEPG 1(VLAN 2011)BD 2192.168.2.254/24BD 3192.168.3.254/24BD 4192.168.4.254/24192.168.2.11WebServer2EPG 2(VLAN 2022)192.168.3.11AppServe
52、r1EPG 3(VLAN 2031)192.168.4.11AppServer2EPG 4(VLAN 2041)Policies Needed:6 BRKDCN-265848 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEPG vs.ESGESG is a Security Group construct that can span BDsESG appESG webBD 1192.168.101.254/24192.168.101.11VRF AEPG 1(VLAN 111)BD 219
53、2.168.102.254/24BD 3192.168.103.254/24BD 4192.168.104.254/24192.168.102.11EPG 2(VLAN 102)192.168.103.11EPG 3(VLAN 103)192.168.104.11EPG 4(VLAN 104)Policies Needed:1 BRKDCN-265849 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveESG MatchingEndpoints can be classified into E
54、SGs using a variety of attributes:IPv4/v6 Address or SubnetsEPG SelectorPolicy Tags(MACs,VM tags,VM Names,Static Endpoint)BRKDCN-265850 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExample Design using ESGsBridge Domain10.0.0.254/24EPG(VLAN 10)A security group in 1 subn
55、etNetwork CentricApplication CentricMultiple security groups in 1 subnet10.0.0.310.0.0.210.0.0.1Security groups across subnetsBridge Domain10.0.0.254/24EPG(VLAN 11)10.0.0.310.0.0.210.0.0.1EPG(VLAN 12)EPG(VLAN 13)Bridge Domain10.0.0.254/2420.0.0.254/24EPG(VLAN 11)20.0.0.120.0.0.110.0.0.210.0.0.1EPG(V
56、LAN 12)BD10.0.0.254/24EPG(11)20.0.0.120.0.0.110.0.0.210.0.0.1BD20.0.0.254/24EPG(VLAN 20)Security groups across across bridge domainsbridge domainsESGESGSecurity Group(ESG)Sharing a broadcast domain brings another security concernWhat if multiple subnets need to share the same security rules?Need mor
57、e granular security groupEPG(12)Flexible security groupingHybridBRKDCN-265851 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveESG Considerations Security can SPAN BDs(within VRF)Simpler than EPGs(i.e.per BD)Great for Network Centric DeploymentsEPG is still used to bind VLA
58、Ns and interfacesNo changes in VRF/BD/EPG from network perspectiveESG contracts and BD subnets are deployed on all nodes where the VRF is deployedNo automatic route leaking based on contractsNo more subnets under a provider EPGManual but simple route leaking configBRKDCN-265852 2023 Cisco and/or its
59、 affiliates.All rights reserved.Cisco Public#CiscoLiveESG Considerations contdOnly IP selector in 6.0.(/32,/128 or LPM such as/24)ESG can be applied only for routed trafficTo prevent L2 traffic to bypass ESG security,Allow Micro-Segmentation,Intra EPG Isolation with Proxy-ARP,or Intra EPG Contract n
60、eeds to be enabled on each EPG where the endpoints originally belonged to.No ESG EPG contract/communicationIncludes no ESG uSeg EPGs as wellvzAny or Preferred Group can be used for ESG-EPG communicationESG L3Out_EPGs contracts are supportedBRKDCN-265853 2023 Cisco and/or its affiliates.All rights re
61、served.Cisco Public#CiscoLiveESG Contract Support SummarySupportedSupportedNot SupportedNot Supported Contracts between:ESG ESGESG L3Out EPGESG inband-EPGESG vzAnyESG service-EPG(internally created shadow EPG)Preferred Group Intra ESG Contract Contract Inheritance Contracts between:ESG EPGESG uSeg E
62、PGESG Cloud EPG-ESGs not yet supported in NDO Taboo ContractsNote:Note:Any contract features that are supported in uSeg EPG are supported Any contract features that are supported in uSeg EPG are supported in ESG unless its explicitly mentioned as not supported on the rightin ESG unless its explicitl
63、y mentioned as not supported on the rightBRKDCN-265854Application Segmentation&Putting it all together 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSegmentation vs.Micro-SegmentationSegment 1Segment 3Segment 2Segment 4SegmentationSegmentationSegment=Broadcast domain/VLA
64、N/SubnetBRKDCN-265856 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSegmentation vs.Micro-SegmentationSegment 1Segment 3Segment 2Segment 4SegmentationSegmentationMicro SegmentationMicro SegmentationSegment 1Micro Segment 1Micro Segment 3Micro Segment 2Segment=Broadcast d
65、omain/VLAN/SubnetMicro Segment=Endpoint or Group of EndpointsMicro Segment 4Segment 2BRKDCN-265857 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveZone Micro SegmentationSegmentation Level:Low172.16.10.11172.16.10.12 172.16.10.13VM1VM3VM2172.16.10.0/24172.16.10.14VM4172.16
66、.10.15VM5172.16.10.16VM6ProdQADevBRKDCN-265858 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplication SegmentationSegmentation Level:Medium172.16.10.11172.16.10.12 172.16.10.13VM1VM3VM2172.16.10.0/24172.16.10.14VM4172.16.10.15VM5172.16.10.16VM6App1App2App3BRKDCN-26585
67、9 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplication Tier SegmentationSegmentation Level:High172.16.10.11172.16.10.12 172.16.10.13VM1VM3VM2172.16.10.0/24172.16.10.14VM4172.16.10.15VM5172.16.10.16VM6WebAppDBBRKDCN-265860 2023 Cisco and/or its affiliates.All rights
68、reserved.Cisco Public#CiscoLiveBalancing App Segmentation vs.ComplexityGranularity/SecurityvzAnyPreferred GroupsRegular ContractsuSegEPGsIntra-EPG ContractsEndpoint Security GroupsComplexityGoldilocks ZoneBRKDCN-265861Sample Case StudyGreenfield 2023 Cisco and/or its affiliates.All rights reserved.C
69、isco Public#CiscoLiveGreenfield Case Study Acme Inc.Acme Inc the industry leading seller of AnvilsThey are planning on deploying a net-new Application for their e-commerce site and wish to do so using an Application Centric approach.The application tiers are well understood as are the communication
70、requirements between the tiers.The CIO has requested a maximum focus on Segmentation&SecurityNew IPs/Subnets will be allocated for the new application endpoints which will be a mix of baremetal&virtual endpoints.BRKDCN-265864 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiv
71、eAcme Inc.e-Com Application EPG Deploymente-com_frontendapache1load_balancermysqlnfs_serverapache2net_servicescartmongobdauth-servicewebEPGL3EPGServiceGraphBRKDCN-265865 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAcme Inc.e-Com Application EPG DeploymentBRKDCN-265866B
72、rownfield 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBrownfield Case Study Acme Inc.Acme Inc the industry leading seller of AnvilsThey have deployed ACI in a network Centric manner and wish to apply better security starting with their e-Com applicationThe application
73、tiers are well understood,but the specific communication rules between the tiers are not.ACMEs Ops team have limited cycles and wish to limit any increased complexity any design changes may involve.They must not impact any existing applicationsBRKDCN-265868 2023 Cisco and/or its affiliates.All right
74、s reserved.Cisco Public#CiscoLiveAcme Inc.e-Com Application Summarye-com_frontendapache1load_balancermysqlnfs_serverapache2net_servicescartmongobdauth-servicewebBRKDCN-265869 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAcme Inc.e-Com Application Summarye-com_frontendap
75、ache1load_balancersmysqlnfs1apache2net_servicescartauth-servicewebvlan10vlan101vlan102vlan103vlan201mongobdBRKDCN-265870 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACME_tnAcme Inc.e-Com App on ACIProd_vrfProd_apvlan10_bdvlan10_epgvlan101_bdvlan101_epgvlan102_bdvlan102
76、_epgvlan103_bdvlan103_epgvlan201_bdvlan201_epg?auth-serv2mongodb1lb2apache2nfs1auth-serv1e-com_frontlb1net_svcmysqlapache1?BRKDCN-265871 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACME_tnAcme Inc.e-Com App on ACIProd_vrfProd_apvlan10_bdvlan10_epgvlan101_bdvlan101_epgv
77、lan102_bdvlan102_epgvlan103_bdvlan103_epgvlan201_bdvlan201_epg?auth-serv2mongodb1lb2apache2nfs1auth-serv1e-com_frontlb1mysqlapache1?net_svcBRKDCN-265872 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAcme Inc.e-Com App on ACIACME_tnProd_vrfProd_apvlan10_bdvlan10_epgvlan10
78、1_bdvlan101_epgvlan102_bdvlan102_epgvlan103_bdvlan103_epgvlan201_bdvlan201_epgE-Com_apauth-serv2mongodb1lb2apache2nfs1auth-serv1e-com_frontlb1net_svcmysqlapache1Application Security Group:E-ComBRKDCN-265873 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBrownfield Migrati
79、on of Net-Centric Apps to ESGs1.Create new application-specific App Profile 2.Create ESG named as App,bind to appropriate VRF3.Apply Contract between ESG and L3out(for external connectivity)4.Create Selectors for ESGFor VMs,you can use VM Tags,VM Names,VM Folders etcFor baremetal&VMs you can use MAC
80、 or IP(LPM)selectors 5.Enable“Allow for uSeg”on Base EPG VMM Domain bindingBRKDCN-265874 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivevCenter ViewTag&Category AssignmentBRKDCN-265875 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI View 1 o
81、f 5VMM Domain Tag CollectionBRKDCN-265876 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI View 2 of 5Base EPGs VMM Domain BindingBRKDCN-265877 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI View 3 of 5ESG Tag SelectorBRKDCN-265878 2023 C
82、isco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI View 4 of 5Base EPG Learned EndpointsBRKDCN-265879 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI View 5 of 5ESG Matched EndpointsBRKDCN-265880 2023 Cisco and/or its affiliates.All rights reserve
83、d.Cisco Public#CiscoLiveResultApplication-Level Health VisibilityApplication Segmentation Increased SecurityNo changes to legacy EPG mappings/VM Port GroupsOptimized Policy TCAMPotential reduction of load on external FWsAbility to further segment Application into tiersBRKDCN-265881 2023 Cisco and/or
84、 its affiliates.All rights reserved.Cisco Public#CiscoLiveKey TakeawaysBetter Segmentation of Applications will reduce exposure to lateral attacksACI offers varying degrees and options for securing applicationsAny level of improved security is invaluableApplication Centric Design is a journey,get st
85、arted today!BRKDCN-265882 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIn 2022,there were an average of 7 breach notices issued each business dayBRKDCN-265883 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLets ensure your business never has
86、to issue oneBRKDCN-265884 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on
87、 the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.BRKDCN-265885 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive#CiscoLive