ACI MicroSegmentationDeployment Lab
Furong Gisiger, Solutions Architect, CiscoChristine Lakits, Network Consulting Engineer, Cisco
LTRACI-2800
• Introduction
• ACI Micro Segmentation Key Features
• ACI Micro Segmentation Use Cases
• ACI Micro Segmentation Implementation
• Lab Setup and Overview
• Conclusion
• Q & A
Agenda
Introduction
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicLTRACI-2800
Why Micro Segmentation?
Segment 1Segment 3
Se
gm
en
t 2
Se
gm
en
t 4
Segmentation
✔
✖
Segment = Broadcast domain / VLAN / Subnet
5
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicLTRACI-2800
Why Micro Segmentation?
Segment 1Segment 3
Se
gm
en
t 2
Se
gm
en
t 4
Segmentation Micro Segmentation
Segment 1
Micro Segment 1 Micro Segment 3
✖
Micro Segment 2
✔ ✔✔
✖
Segment = Broadcast domain / VLAN / Subnet Micro Segment = Endpoint or Group of Endpoints
Micro Segment 4
✖
Se
gm
en
t 2
6
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why Micro Segmentation?
• Perimeter security is not enough: oncebreached, lateral movement can allowattackers to compromise more assets
• Improve the security posture inside the Data Center
• Minimize segment size and provide smallest exposure to lateral movement
LTRACI-2800 7
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The ACI Micro Segmentation Toolbox
LTRACI-2800 8
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The ACI Micro Segmentation Toolbox
LTRACI-2800
EPGs & Contracts
ACI Policy Model
9
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The ACI Micro Segmentation Toolbox
LTRACI-2800
EPGs & Contracts
ACI Policy Model
Intra EPG isolation
10
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The ACI Micro Segmentation Toolbox
LTRACI-2800
EPGs & Contracts
ACI Policy Model
Intra EPG isolation
Micro-segmented EPGs
with attributes
11
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The ACI Micro Segmentation Toolbox
LTRACI-2800
EPGs & Contracts
ACI Policy Model
Intra EPG isolation
Micro-segmented EPGs
with attributes
Integration with L4/L7 Services
ecosystem
12
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The ACI Micro Segmentation Toolbox
LTRACI-2800
EPGs & Contracts
ACI Policy Model
Intra EPG isolation
Micro-segmented EPGs
with attributes
Integration with L4/L7 Services
ecosystem
NOT covered in this LAB
13
EPG Segmentation
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Endpoint Group (EPG) is a group of devices/endpoints that shares common policy requirements.
LTRACI-2800 15
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Endpoint Groups (EPG, fvAEPg)
10.10.10.10 10.10.10.11 10.10.10.12
Example #1: all endpoints in a segment Example #2: all VMs in a PortGroup
PortGroup Orange
Classify based on endpoint
Encapsulation
(VLAN/VXLAN) and Ports
EPG can be considered like Security Zones or Security Groups
A single EPG can have mix of Physical and Virtual Workloads
HR-web Fin-web Sales-web
Example #3: all endpoints in the same application Tier
LTRACI-2800 16
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
By default … endpoints inside a regular EPG can communicate freely.
endpoints in different EPGs can’t communicate at all.
LTRACI-2800 17
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI White List Model(*): No Contract, No Communication
Bridge Domain – 10.10.10.1/24
Web-01
10.10.10.11
Web-02
10.10.10.12App-01
10.10.10.13App-02
10.10.10.14
EPG Web EPG App
(*) Default can be changed
Without contracts,
by default there is no
communication
between EPGs
LTRACI-2800 18
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI White List Model(*): Contract Determines Communication
Bridge Domain – 10.10.10.1/24
Web-01
10.10.10.11
Web-02
10.10.10.12App-01
10.10.10.13App-02
10.10.10.14
EPG Web EPG App
Contract: Blue-to-Green
Subject: AppTraffic
Filter: Action:
tcp/80 allow
tcp/443 allowC
ON
SU
ME
S
PR
OV
IDE
S
tcp/80
tcp/8080
(*) Default can be changed
tcp/443
tcp/80
LTRACI-2800 19
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Leaf Uses Zoning Rules to forward or drop the traffic
Web-01
10.10.10.11
Web-02
10.10.10.12
EPG Web
App-01
10.10.10.13App-02
10.10.10.14
EPG App
leaf1# show zoning-rule scope 2162697 | egrep -E "Scope|32771|16387"
Rule ID SrcEPG DstEPG FilterID operSt Scope Action Priority
4616 16387 32771 5 enabled 2162697 permit src_dst_any(8)
4617 32771 16387 5 enabled 2162697 permit src_dst_any(8)
Once contract is created, it
will get programmed on the
ACI leaf as Zoning Rules.
Leaf forwards/drops the
packets based on those rules
LTRACI-2800 20
Intra EPG Isolation
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Intra EPG Isolation
Intra EPG Isolation
• Intra EPG Isolation blocks
communication between all endpoints
inside the group
• Supports mixing of Physical and Virtual
endpoints in same EPG
• Can be configured on all type of EPG
Intra EPG Isolation
<fvTenant name="Tenant1">
<fvAp name=”ap1">
<fvAEPg isAttrBasedEPg="no" matchT="AtleastOne" name="baseEPG" pcEnfPref=”enforced" prefGrMemb="exclude" prio="unspecified">
<fvRsBd tnFvBDName="bd"/>
</fvAEPg>
</fvAp>
</fvTenant>
LTRACI-2800 22
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Intra EPG Isolation Use Case
• Independent clients accessing common services
• VDI (Virtual Desktop Infrastructure)
• Management devices (CIMC and etc)
• Backup Storage
• Web tier application
LTRACI-2800
CIMC Interfaces NTP/DNS Infra Services
23
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
EPG-B
LTRACI-2800
Intra EPG Isolation – Zoning Rules
EPG-A
Source Destination Filter Action
EPG-A EPG-B implicit permit
EPG-A EPG-A implicit Deny-all
Intra EPG traffic will be dropped by the leaf
because of the implicit deny-all rule
24
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
EPG-B
LTRACI-2800
VMWare DVS Intra EPG Isolation
EPG-A
vDS => ACI leaf uplink traffic uses VLAN-secondary
ACI leaf => vDS downlink traffic uses VLAN-primary
DVS VLANDVS VLAN
Port-Group EPGBPort-Group EPGA
PVLAN map is configured in vDS
VL
AN
-se
c
VL
AN
-pri
PVLAN map is configured on the ACI leaf
25
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
EPG-B
LTRACI-2800
VMWare DVS Intra EPG Isolation
EPG-A
Source Destination Filter Action
EPG-A EPG-B implicit permit
EPG-A EPG-A implicit Deny-all
Inter-ESXi host traffic will be dropped by the leaf
because of the implicit deny-all rule
Note for Inter-EPG Traffic with Isolation Enabled:
• EPG-B sends traffic over regular VLAN to ACI
Leaf
• Egress Leaf will encapsulate traffic in VLAN-
Primary and send towards EPG-A VMs
Port-Group EPGBPort-Group EPGA• Intra-ESXi host traffic is
encapsulated in VLAN-secondary.
• vDS denies local intra-EPG VM
traffic via PVLAN
DVS VLANDVS VLAN
VL
AN
-se
c
VL
AN
-pri
26
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
EPG-B
LTRACI-2800
VMWare With Cisco AVS Intra EPG Isolation
EPG-A
Source Destination Filter Action
EPG-A EPG-B implicit permit
EPG-A EPG-A implicit Deny-all
Inter-ESXi host traffic will be dropped by the leaf
because of the implicit deny-all rule
Port-Group EPGBPort-Group EPGA
Isolation enforcement is local to AVS
within a host
AVS VXLANAVS VXLAN
* VXLAN mode supported. No PVLANs required because of Opflex
28
Micro-segmented EPGswith attributes
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
uSeg EPG (Attribute Based EPG)
• Endpoints can be classified based on their attributes using uSeg EPGs
LTRACI-2800
VM-01
10.10.10.13
EPG GREEN
BM-02
10.10.10.12
f4:5c:89:b2:ab:cd
uEPG MyDB uEPG Quarantine
BM-01
10.10.10.11
f4:5c:89:b2:bf:cb
Base EPG based on port and encapsulation (i.e
VLAN or VXLAN)
30
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
uSeg EPG (Attribute Based EPG)
• Endpoints can be classified based on their attributes using uSeg EPGs
LTRACI-2800
VM-01
10.10.10.13
EPG GREEN
BM-02
10.10.10.12
f4:5c:89:b2:ab:cd
uEPG MyDB uEPG Quarantine
Select where:
MAC=f4:5c:89:b2:bf:cb
BM-01
10.10.10.11
f4:5c:89:b2:bf:cb
Select where:
VM-name=VM-01
Base EPG based on port and encapsulation (i.e
VLAN or VXLAN)
uSeg EPG based on Attributes
31
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
uSeg EPG (Attribute Based EPG)
• Endpoints can be classified based on their attributes using uSeg EPGs
LTRACI-2800
VM-01
10.10.10.13
EPG GREEN
BM-02
10.10.10.12
f4:5c:89:b2:ab:cd
uEPG MyDB uEPG Quarantine
Select where:
MAC=f4:5c:89:b2:bf:cb
BM-01
10.10.10.11
f4:5c:89:b2:bf:cb
Select where:
VM-name=VM-01
Base EPG based on port and encapsulation (i.e
VLAN or VXLAN)
uSeg EPG based on Attributes
32
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
uSeg EPG
• The endpoint must be first known to a regular EPG of type base EPG.
• uSeg EPG and base EPG associate with same BD.
• A uSeg EPG is equivalent to a regular/base EPG for all purposes, but classification is based on endpoint attributes (and dynamic in nature)
• Endpoints in uSeg EPG by default can NOT communicate to the base EPG (without a contract)
• uSeg EPG does not inherit the contracts from base EPG today.
LTRACI-2800 33
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
uSeg EPG XML Configuration
LTRACI-2800 34
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
uSeg EPG XML Configuration
isAttrBasedEPg = “no”
isAttrBasedEPg = “yes”
New attribute called ‘isAttrBasedEPg’ in fvAEPg. Admin has to explicitly specify a
given EPG is an attributed based EPG or not.
LTRACI-2800 35
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Endpoint Attributes
LTRACI-2800
Attributes w/ Precedence Type Example
MAC Address Network 5c:01:23:ab:cd:ef
IP Address Network 10.10.1.0/24
10.20.21.1
VNic Dn (vNIC domain name) VM A1:23:45:67:89:0b
VM Identifier VM vm-598
VM Name VM HR_UI_WEB
Hypervisor Identifier VM esxi-host-01
VMM Domain VM AVS-VMM-DC1
Datacenter VM BRU-DC
Custom Attribute
(VMWare AVS/DVS only)
VM AppTier=Web
Guest Operating System VM Windows 2008
Supported attributes as of 2.2(1n)
Physical Domain
VMM Domain
(DVS/AVS/HyperV)
36
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
MAC and IP Attributes
• MAC and IP attributes can be used for both physical domains and VMM domains.
LTRACI-2800
You can specify large MAC list
You can specify individual IP addresses and/or subnets
37
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
uSeg EPG Support with VMM Domain
EPG GREEN
vSwitch
dvPortGroup GREEN
ubuntu-01 centos-01 ubuntu-02centos-02
Base EPG:
GREEN
uSeg EPG:
UBUNTU
BD1
Subnet: 192.168.1.254/24
VM Attribute
VM OS Equals
“Ubuntu”
LTRACI-2800 38
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
uSeg EPGs with Microsoft Hyper-V and VMware vSphere using AVS
dvPortGroup GREEN
ubuntu-01 centos-01 ubuntu-02centos-02
Base EPG:
GREEN
uSeg EPG:
UBUNTU
BD1
Subnet: 192.168.1.254/24
VM Attribute
VM OS Equals
“Ubuntu”
AVS MSFT vSwitch
dvPortGroup GREEN dvPortGroup GREEN
EPG GREEN
uSeg EPG UBUNTU
The uEPG does not configure a new
dvPortGroup or VM-Network.
A new encapsulation ID (VLAN or
VXLAN) is allocated for this uEPG
within each VMM. This enables the
leaf to classify endpoints on the right
uEPG.
LTRACI-2800 39
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
uSeg EPG with VMware vSphere using DVS
ubuntu-01 centos-01 ubuntu-02centos-02
Base EPG:
GREEN
uSeg EPG:
UBUNTU
BD1
Subnet: 192.168.1.254/24
VM Attribute
VM OS Equals
“Ubuntu”
EPG GREEN PVLAN mode will be enabled (same
behavior as Intra EPG Isolation
PVLAN allocation will be required If
there is a L2 switch in between.
*Proxy-ARP enabled
VMware DVS
dvPortGroup GREEN
The uEPG does not configure a new
dvPortGroup or VM-Network.
(PVLAN: primary 100, secondary 200)
uSeg EPG UBUNTU
Traffic is always go to the Leaf
because of Proxy-ARP.
LTRACI-2800 40
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
You can use multiple attributes
• Attribute support depends on VMM, some attributes are vendor specific (i.e. vSphere Custom Attributes)
• In case multiple Attributes are defined for an EPG, the EPG is used if ‘any’ one of the specified attribute matches with the endpoint.
LTRACI-2800 41
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Case #1Isolate a Malicious VM
• Problem: Vulnerability is detected in a particular type of operating system (e.g. Windows). Network security administrator would like to isolate all Windows VM.
WebWeb01Linux
Web02Linux
Web03Win
AppApp01Linux
App02Linux
App03Win
DBDB01Linux
DB02Linux
DB03Win
LTRACI-2800 42
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Win EPG
Use Case #1Isolate a Malicious VM
• Problem: Vulnerability is detected in a particular type of operating system (e.g. Windows). Network security administrator would like to isolate all Windows VM.
WebWeb01Linux
Web02Linux
Web03Win
AppApp01Linux
App02Linux
App03Win
DBDB01Linux
DB02Linux
DB03Win
Criterion
Attribute
(OS = Windows)
LTRACI-2800 43
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Win EPG
Use Case #1Isolate a Malicious VM
• Problem: Vulnerability is detected in a particular type of operating system (e.g. Windows). Network security administrator would like to isolate all Windows VM.
WebWeb01Linux
Web02Linux
Web03Win
AppApp01Linux
App02Linux App03
Win
DBDB01Linux
DB02Linux
DB03Win
XCriterion
Attribute
(OS = Windows)
LTRACI-2800 44
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Case #2Creating additional Security Zones
• Problem: VMs belonging to different departments (e.g. HR, Sales) or different roles (Production, Test) are placed in the port-group. But isolation across departments are required. (e.g. HR-Web-VM should not be able to talk to Sales-Web-VM)
WebWeb01
HR-Web01
Sales-Web01
AppApp01 App02 App03
DBDB01 DB02 DB03
LTRACI-2800 45
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
HR-Web
Use Case #2Creating additional Security Zones
• Problem: VMs belonging to different departments (e.g. HR, Sales) or different roles (Production, Test) are placed in the port-group. But isolation across departments are required. (e.g. HR-Web-VM should not be able to talk to Sales-Web-VM)
WebWeb01
HR-Web01
Sales-Web01
AppApp01 App02 App03
DBDB01 DB02 DB03
Criterion
Attribute(VM name contains HR)
LTRACI-2800 46
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
HR-Web
Sales-Web
Use Case #2Creating additional Security Zones
• Problem: VMs belonging to different departments (e.g. HR, Sales) or different roles (Production, Test) are placed in the port-group. But isolation across departments are required. (e.g. HR-Web-VM should not be able to talk to Sales-Web-VM)
WebWeb01
HR-Web01
Sales-Web01
AppApp01 App02 App03
DBDB01 DB02 DB03
Criterion
Attribute(VM name contains HR)
Criterion
Attribute(VM name contains Sales)
X
LTRACI-2800 47
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicLTRACI-2800
Hardware/Software Dependency
Intra EPG Isolation:
• DVS since ACI 1.2(2)
• AVS since ACI 1.3(1)
µSeg EPG with attributes:
• DVS since ACI 1.3(1) with
9300-EX hardware
• AVS since ACI 1.1(1)
Intra EPG Isolation:
• Roadmap
µSeg EPG with attributes:
• Microsoft Virtual Switch
since ACI 1.2(1)
Intra EPG Isolation:
• Supported since ACI 1.2(2)
µSeg EPG with attributes:
• Roadmap
Intra EPG Isolation:
• Supported since ACI 1.2(2)
µSeg EPG with attributes:
• IP EPG since ACI 1.2(1) with
–E hardware
• MAC EPG since ACI 2.1(1)
with –EX hardware
48
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Roadmap
• vSphere Tags for Micro-Segmentation
• Match AND/OR operator for Attributes
• Intra-EPG contracts
• Contract Inheritance
• User-Identity Micro-Segmentation: EPG membership based on AD authentication (Infoblox)
• And more…
LTRACI-2800 49
Lab Setup and Overview
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Overall Lab Topology
• ACI Fabric
• Spine Switches
• Leaf Switches
• APIC Controllers
• Servers/VMs
• Nexus 3K (Bare-Metal)
• CentOS VMs
LTRACI-2800
Leaf1 Leaf2
N3K/BM
e1/1 e1/3 e1/3e1/1
e1/1
e1/2
e1/4
e1/3
52
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tenant Setup – Pre Lab
LTRACI-2800
Tenant cl-userXX - VRF vrf1
AVS VXLAN
Bridge Domain mgmt – Subnet 172.16.0.1/24
DVS VLAN
Bridge Domain database – Subnet 30.30.0.1/24
EPG - database
EPG – srv-mgmt EPG – backup-srv
Bridge Domain web-app – Subnet 10.10.0.1/24
Subnet 20.20.0.1/24
EPG – web-app
uXX-ap1-db uXX-ap2-db
uXX-ap2-web uXX-ap2-app uXX-ap1-web uXX-ap1-app uXX-backup-srv
*XX = 01 ~ 30 (user ID)
53
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Nexus 3K / Bare-Metal (database)vrf context cl-uXX-db1
ip route 0.0.0.0/0 30.30.0.1
vrf context cl-uXX-db2
ip route 0.0.0.0/0 30.30.0.1
interface Ethernet1/1.36XX
description "To:leaf101-e1/1, EP:uXX-ap1-db”
encapsulation dot1q 36XX
MAC-address 18e7.2800.36XX
vrf member cl-uXX-db1
ip address 30.30.0.11/24
interface Ethernet1/2.36XX
description "To:leaf102-e1/1, EP:uXX-ap2-db”
encapsulation dot1q 36XX
MAC-address 18e7.2801.36XX
vrf member cl-uXX-db2
ip address 30.30.0.12/24
LTRACI-2800
*XX = 01 ~ 30 (user ID)
Leaf1 Leaf2
N3K/BM
e1/1 e1/1
e1/1 e1/2
VLAN 36XX
uXX-ap1-db
IP: 30.30.0.11/24
MAC: 18e7.2800.36XX
uXX-ap2-db
IP: 30.30.0.12/24
MAC: 18e7.2801.36XX
database BD:
30.30.0.1/24
54
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Nexus 3K / Bare-Metal (database-mgmt)vrf context cl-uXX-mgmt1
ip route 0.0.0.0/0 172.16.0.1
vrf context cl-uXX-mgmt2
ip route 0.0.0.0/0 172.16.0.1
interface Ethernet1/3.37XX
description "To:leaf101-e1/3, EP:uXX-ap1-db-
mgmt”
encapsulation dot1q 37XX
MAC-address 18e7.2800.37XX
vrf member cl-uXX-mgmt1
ip address 172.16.0.15/24
interface Ethernet1/4.37XX
description "To:leaf102-e1/3, EP:uXX-ap2-db-
mgmt”
encapsulation dot1q 37XX
MAC-address 18e7.2801.37XX
vrf member cl-uXX-mgmt2
ip address 172.16.0.16/24
LTRACI-2800
*XX = 01 ~ 30 (user ID)
Leaf1 Leaf2
N3K/BM
e1/3 e1/3
e1/3 e1/4
VLAN 37XX
uXX-ap1-db-mgmt
IP: 172.16.0.15/24
MAC: 18e7.2800.37XX
uXX-ap2-db-mgmt
IP: 172.16.0.16/24
MAC: 18e7.2801.37XX
mgmt BD:
172.16.0.1/24
55
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lab 1 – Intra EPG Isolation
LTRACI-2800
Tenant cl-userXX - VRF vrf1
Bridge Domain mgmt – Subnet: 172.16.0.1/24
Tenant cl-userXX - VRF vrf1
EPG: srv-mgmt EPG: backup-srv
uXX-ap1-db uXX-ap2-db
uXX-ap2-web uXX-ap2-app
uXX-ap1-web uXX-ap1-app
uXX-backup-srv
172.16.0.11/24 172.16.0.13/24
172.16.0.12/24 172.16.0.14/24
172.16.0.15/24 172.16.0.16/24
172.16.0.254/24
Bridge Domain mgmt – Subnet: 172.16.0.1/24
EPG: srv-mgmt EPG: backup-srv
uXX-ap1-db uXX-ap2-db
uXX-ap2-web uXX-ap2-app
uXX-ap1-web uXX-ap1-app
uXX-backup-srv
172.16.0.11/24 172.16.0.13/24
172.16.0.12/24 172.16.0.14/24
172.16.0.15/24 172.16.0.16/24
172.16.0.254/24
Before After
56
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lab 2 – MAC Based EPG with BareMetal
LTRACI-2800
Tenant cl-userXX - VRF vrf1
Bridge Domain web-app
Subnet: 10.10.0.1/24, 20.20.0.1/24
Bridge Domain database
Subnet: 30.30.0.1/24
EPG: database
uXX-ap1-db
uXX-ap2-db
30.30.0.11/24
30.30.0.12/24
MAC: 18e7.2800.36XX
MAC: 18e7.2801.36XX
EPG: web-app
uXX-ap2-web uXX-ap2-app
uXX-ap1-web uXX-ap1-app
10.10.0.11/24 20.20.0.11/24
10.10.0.12/24 20.20.0.12/24
Tenant cl-userXX - VRF vrf1
Bridge Domain web-app
Subnet: 10.10.0.1/24, 20.20.0.1/24
Bridge Domain database
Subnet: 30.30.0.1/24
uEPG: ap1-db
uXX-ap1-db
30.30.0.11/24
MAC: 18e7.2800.36XX
EPG: web-app
uXX-ap2-web uXX-ap2-app
uXX-ap1-web uXX-ap1-app
10.10.0.11/24 20.20.0.11/24
10.10.0.12/24 20.20.0.12/24
uEPG: ap2-db
uXX-ap2-db
30.30.0.12/24
MAC: 18e7.2801.36XX
Before After
57
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lab 3 – VM-Attribute based EPG with DVS
LTRACI-2800
Tenant cl-userXX - VRF vrf1
Bridge Domain web-app
Subnet: 10.10.0.1/24, 20.20.0.1/24
EPG: web-app
uXX-ap2-web uXX-ap2-app
uXX-ap1-web uXX-ap1-app
10.10.0.11/24 20.20.0.11/24
10.10.0.12/24 20.20.0.12/24
Tenant cl-userXX - VRF vrf1
Bridge Domain web-app
Subnet: 10.10.0.1/24, 20.20.0.1/24
Bridge Domain database
Subnet: 30.30.0.1/24
uEPG: ap1-db
uXX-ap1-db
30.30.0.11/24
MAC: 18e7.2800.36XX
EPG: web-app
uXX-ap2-web uXX-ap2-app
10.10.0.12/24 20.20.0.12/24
uEPG: ap2-db
uXX-ap2-db
30.30.0.12/24
MAC: 18e7.2801.36XX
Bridge Domain database
Subnet: 30.30.0.1/24
uEPG: ap1-db
uXX-ap1-db
30.30.0.11/24
MAC: 18e7.2800.36XX
uEPG: ap2-db
uXX-ap2-db
30.30.0.12/24
MAC: 18e7.2801.36XX
uEPG: ap1-webapp
uXX-ap1-web uXX-ap1-app
10.10.0.11/24 20.20.0.11/24
DVS VLAN
AVS VXLAN
DVS VLAN
AVS VXLAN
Before After
58
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lab 4 – VM-Attribute based EPG with AVS
LTRACI-2800
Tenant cl-userXX - VRF vrf1
Bridge Domain web-app
Subnet: 10.10.0.1/24, 20.20.0.1/24
Tenant cl-userXX - VRF vrf1
Bridge Domain web-app
Subnet: 10.10.0.1/24, 20.20.0.1/24
Bridge Domain database
Subnet: 30.30.0.1/24
uEPG: ap1-db
uXX-ap1-db
30.30.0.11/24
MAC: 18e7.2800.36XX
uEPG:
ap2-web
uXX-ap2-web
10.10.0.12/24
uEPG: ap2-db
uXX-ap2-db
30.30.0.12/24
MAC: 18e7.2801.36XX
Bridge Domain database
Subnet: 30.30.0.1/24
uEPG: ap1-db
uXX-ap1-db
30.30.0.11/24
MAC: 18e7.2800.36XX
uEPG: ap2-db
uXX-ap2-db
30.30.0.12/24
MAC: 18e7.2801.36XX
uEPG: ap1-webapp
uXX-ap1-web uXX-ap1-app
10.10.0.11/24 20.20.0.11/24
DVS VLAN
EPG: web-app
uXX-ap2-web uXX-ap2-app
10.10.0.12/24 20.20.0.12/24
uEPG: ap1-webapp
uXX-ap1-web uXX-ap1-app
10.10.0.11/24 20.20.0.11/24
DVS VLAN
AVS VXLAN
uEPG:
ap2-app
uXX-ap2-app
20.20.0.12/24
AVS VXLAN
DFW
Before After
59
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lab 5 – Quarantine a malicious VM
LTRACI-2800
Tenant cl-userXX - VRF vrf1
Bridge Domain web-app
Subnet: 10.10.0.1/24, 20.20.0.1/24
Tenant cl-userXX - VRF vrf1
Bridge Domain web-app
Subnet: 10.10.0.1/24, 20.20.0.1/24
Bridge Domain database
Subnet: 30.30.0.1/24
uEPG: ap1-db
uXX-ap1-db
30.30.0.11/24
MAC: 18e7.2800.36XX
uEPG:
ap2-web
uXX-ap2-web
10.10.0.12/24
uEPG: ap2-db
uXX-ap2-db
30.30.0.12/24
MAC: 18e7.2801.36XX
Bridge Domain database
Subnet: 30.30.0.1/24
uEPG: ap1-db
uXX-ap1-db
30.30.0.11/24
MAC: 18e7.2800.36XX
uEPG: ap2-db
uXX-ap2-db
30.30.0.12/24
MAC: 18e7.2801.36XX
uEPG:
ap1-webapp
uEPG:
ap2-app
uXX-ap2-app
20.20.0.12/24
AVS VXLAN
uEPG:
ap2-web
uXX-ap2-web
10.10.0.12/24
uEPG: ap1-webapp
uXX-ap1-web uXX-ap1-app
10.10.0.11/24 20.20.0.11/24
DVS VLAN
uEPG:
ap2-app
uXX-ap2-app
20.20.0.12/24
AVS VXLAN
uEPG:
Quarantine
uXX-ap1-app uXX-ap1-web
20.20.0.11/24 10.10.0.11/24
DFWDFW
Before After
60
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lab Access
LTRACI-2800
173.36.208.70
cl-userXX
ciscolive.2017
61
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Remote Desktop
LTRACI-2800
• Command Prompt
• Chrome
• Firefox
• PuTTY
155.78.120.12
ciscolive.2017
62
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lab Guide
• URL - http://ltraci-2800.lab.test.local
LTRACI-2800 63
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lab Access Information
LTRACI-2800
Device IP Addresses Username Password
VPN 173.36.208.70 cl-userXX ciscolive.2017
Remote Desktop 155.78.120.12 [email protected] ciscolive.2017
APIC1
APIC2
APIC3
172.21.208.173
172.21.208.174
172.21.208.175
admin ciscolive.2017
ESXi Host 172.21.208.187 - -
Nexus 3K 172.21.208.178 useg ciscolive.2017
VMs See lab guide
uXX-backup-srv
uXX-ap1-web
uXX-ap1-app
uXX-ap2-web
uXX-ap2-app
root ciscolive.2017
64
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access Tenant
LTRACI-2800 65
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Keyboard in RDP
LTRACI-2800 66
Lab Time
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
LTRACI-2800 68
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• LABACI-1234: ACI Micro-Segmentation Lab
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
• BRKACI-2301: Practical Applications of Cisco ACI Micro Segmentation
• TECSEC-2404: ACI Security
LTRACI-2800 69
Q & A
Thank You