Date post: | 19-Jan-2015 |
Category: |
Technology |
Upload: | cisco-russia |
View: | 2,761 times |
Download: | 8 times |
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Михаил Кадер,
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
“59% of organizations lack the lab resources or test environments to validate vendor claims for themselves.”
—SANS Institute
“Organizations clearly lack well-defined standards, processes, and resources for determining the resiliency of their critical network devices and systems.... Need methodical resiliency validation using a combo of real
traffic, heavy load and security attacks.” —SANS and TOGAG
Cisco Validated Designs Deliver Results
Data Center / Secure Data Center CVD – www.cisco.com/go/vmdc
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Setting the Foundation for the Secure
Designs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Traditional Data Center Architecture
4
Items of note:
- Both Physical Network Fabric and Virtualization components
are represented
- Well defined DC Edge (layer 3) providing connectivity and
security services to/from DC and Internet/Extranet
- DMZ network (physical or virtual workload) on DC edge that
could securely leverage physical workloads or virtual
workloads
- DC Core is Routed (OSPF, BGP, EIGRP) with ECMP
- DC Aggregation layer contains Physical Security Services
allowing the creation of internal zones / trust enclaves without
crossing core (East-West) and crossing core (North-South)
only when required
- Various End-of-Row/Top-of-Rack options represented between
Aggregation and Compute/Access Layer
- Virtual Security services represented with Nexus 1000v
Architecture
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Traditional Secure Data Center Design – Basic and Simplified
Physical Network Fabric
External DC Edge
Internal DC Zoning
Virtual Fabric & Compute
Virtual Workloads
Virtual Services
Data Center
1 2
A A
B B
1. Physical Network Fabric –
-Creates the shared physical infrastructure for moving packets within the
Data Center (North, South, East and West)
-Leverages the DC-Class Technologies of Cisco Nexus Switching
External DC Edge – (External Zoning)
-Boundary between the Data Center and the rest of the corporate
network (or Internet) (North-South)
Internal DC Zones – Stateful Internal separation
-Allows Secure Zones or Trust Enclaves to be established within the DC
Network Fabric, establishing secure separation via External DC Zones
or other Internal DC Zones (North-South)
-Should inherently take advantage of the optimized network infrastructure
without violating proper Data Center Design objectives
High-Availability / Zero Downtime
Scalability / Massive Workload Processing
Survivability / Redundancy
Low Latency / No Packet Loss
Asymmetric Traffic Flows
1
A
B
1 2 1
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Traditional Secure Data Center Design – Basic and Simplified
Physical Network Fabric
External DC Edge
Internal DC Zoning
Virtual Fabric & Compute
‘Secure’ Virtual
Workloads
Virtual Security Services
Data Center
1 2
A A
B B
1. Virtual Fabric and Compute–
-Creates the shared virtual infrastructure for moving packets within the
Virtualized Data Center
-Leverages Virtualization & Compute Technologies of Cisco Nexus /
Unified Compute System (UCS) and Virtualization Software e.g.
VMWare, Citrix, etc.
Secure Virtual Workloads -
-Securing the sum of the requests made by users and applications of a
‘virtual system’
-Typically defined as a self-contained unit: an integrated stack consisting
of application, middleware, database, and operating system devoted to a
specific computing task
Virtual Security Services -
-The Virtual services defined to successfully secure and optimize a Virtual
Workload - Virtual Firewalls, Virtual Routing, Network Management,
Virtual Load Balancers, Cloud Interconnect, VPN, etc.
2
A
B
1 2 2
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure DC: Traditional Use Cases
Cisco VXI
Secure Internal Zone From External Zone Secure Data in a Compliance Scenario [PCI, FISMA, HIPAA, etc.]
Secure Application Tiers Secure Multi-Tenancy
VDC1
VDC2
vPC vPC
CTX1
CTX2
Internet
Campus / Data Center
CTX2
CTX1 Vendor
Partner
vPC
CTX1
CTX2
Extranet
Web Tier (business logic)
DB Tier (data access)
Front-End (Presentation)
DMZ
1 2
3 4
Architecture
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure DC: Evolving Deployment Use Cases
Physical Public Cloud Virtual Private Cloud
1 Traditional (Physical) DC
2 Virtual DC
3 Virtual Desktop
Cisco VXI
4 Internal Private Cloud
Internet
VDC1
VDC2
vPC
IPsec/SSL
VMDC
Custom DC
5 Virtual Private Cloud
SaaS
PaaS 6 Public Cloud
Architecture
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Evolving Data Center Architecture
Goal #1: Understand the current approach (De-Couple the Elements of the Design)
Goal #2: Understand the options we have to build a more efficient architecture (Re-assemble the elements into a more flexible design)
9
Aggregation Layer • Workload is localized to the Aggregation Block
• Centralized point for ingress and egress data center
flows
• Can be demarcation point for L2 and L3
• Services can be scaled as data center grows
Services Layer (option) • Additional services location for server farm specific
protection / optimization
• Services localized to the applications running on the
servers connected to the physical pod – SLB, Monitors,
etc.
• Offloads port utilization from Aggregation Layer
Virtual Network & Access • Physical and virtual form factor for server connectivity
• Top of rack provides port density for server connections
• Merging point between physical and virtual networks
UCS Virtual
Access
Storage
Data Center Core Layer
DC Access Layer
Data security
authenticate &
access control
Port security
authentication,
QoS features
Virtual Firewall
Real-time
Monitoring
Firewall Rules
DC Aggregation Layer
DC Service Layer
Layer 3
Layer 2
Architecture
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Evolving Data Center Architecture
Adding Layered Security Services
10
Aggregation Layer
Services Layer (option)
Virtual Network & Access UCS Virtual
Access
Storage
Data security
authenticate &
access control
Port security
authentication,
QoS features
Virtual Firewall
Real-time
Monitoring
Firewall Rules
• Initial filter for all ingress and egress to DC services & compute -
“North-South” protection • Stateful filtering and logging for all ingress and egress traffic flows • Physical appliances can be virtualized and applied to server enclaves
• Virtual firewall, zone/enclave based filtering
• IP-Based Access Control Lists • VM attribute-based policies – Should Follow VM
• “East-West” protection
Data Center Edge • Physical Delineation for all ingress and egress into the ‘CORE’ of
the DC – Traditional Security Models apply to North-South
Protection
• Additional services location for server farm specific protection and
other potential zones
Architecture
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
VDC and VPC Designs
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Traditional Secure DC Design – Network Fabric Best Practices
Physical Network Fabric
External DC Edge
Internal DC Zoning
Virtual Fabric & Compute
Virtual Workloads
Virtual Services
Data Center
1 2
A A
B B
1. Physical Network Fabric –
-Leverage the full capacity of the Cisco Nexus Switching infrastructure
-Security is pervasive, and while it has been known to ‘reduce
convenience’; decreasing required network functionality is unacceptable.
External DC Edge – (External Zoning)
-Leverage Edge connectivity (routing)
-Provide Edge Security (Firewall at minimum)
-Layer 3 Firewalling (with or without NAT) may be used successfully
-IPS and Next Generation Systems can add additional visibility and
protection
-If very high-speed firewalling / federations, etc. are desired at the DC
edge, ASR1K can deliver up to 100Gbps FW with Stateful HA
-Path diversity into the datacenter if you can. Stateless with Federation to
authenticate to the app, Stateful with Federation for compliance
Internal DC Zones – Stateful Internal separation
-Keep routing on the Routers (Firewalls implemented transparently)
-Leverage vPC/vPC+ and/or FabricPath technology to maximize DC traffic
flow capability
-All flows are expected to be asymmetric, therefore zone design
should support this
-No additional Packet-Loss penalties should be introduced
-Zero-downtime Firewall upgrades should be supported
-Survivability/HA on the Firewall / IPS devices is critical
1
A
B
1
1
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Building an Efficient DC Fabric to Scale
Scaling the Network Fabric - Virtual Device Context (VDC)
13
Nexus 7000 VDC – Virtual Device Context (up to 8 VDCs plus 1 Management VDC – SUP2E w/ NXOS 6.04/6.1)
Flexible separation/distribution of hardware resources and software components
Complete data plane and control plane separation
Complete software fault isolation
Securely delineated administrative contexts
Each physical interface can only be active in one VDC
Layer 2 Protocols Layer 3 Protocols VLAN
PVLAN OSPF BGP
EIGRP
GLBP HSRP IGMP
UDLD CDP
802.1X STP LACP PIM CTS SNMP
… …
VDC 1
Layer 3 Protocols OSPF BGP
EIGRP
GLBP HSRP IGMP
PIM SNMP …
VDC 2
Layer 2 Protocols VLAN
PVLAN UDLD CDP
802.1X STP LACP CTS
…
VDCs
Connectivity
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access
Core Core
Agg Agg
Core
Agg
Using VDCs for Vertical Consolidation
• Allows Consolidation of Core, Aggregation while maintaining network hierarchy
• No reduction in port count or links but fewer physical switches
‒ Copper Twinax cables (CX-1) provide a low cost 10G interconnect option
One of the most common uses of VDCs
Connectivity
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Using VDCs for Internet Edge/DMZ/Core
Option to meet multiple needs – XL VDC, DMZ and Core
Maintains security model with logical separation
Firewalls for Intra
or Inter-VDC
Traffic Flows
Internet
Edge(XL)
DMZ
Core
Internet
Edge(XL)
DMZ
Core
Internet Edge
(XL)
DMZ
Core
Internet
Connectivity
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
VDC Security Certification
16
VDC separation is industry certified ‘Leak-proof Security Mechanism’
NSS Labs for PCI Compliant Environments – http://www.nsslabs.com
FIPS 140-2 http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf
Common Criteria Evaluation and Validation Scheme – Certification #10349 - http://www.niap-ccevs.org/st/vid10349/
Connectivity
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Using VDCs for PCI Compliance Segmentation
• Maintains compliant security model with physical separation
‒ FW and IPS at the boundary of the CDE zone as required by PCI-DSS 2.0
Internet
Edge(XL)
PCI
Core
Internet Edge
(XL)
PCI
Core
Internet
Internet
Edge(XL)
PCI
Core
Connectivity
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
vPC Peers
vPC Peers
MCEC
Building an Efficient DC Fabric to Scale
• Allow a single device to use a port channel across two upstream
switches (aka MCEC)
• Eliminate STP blocked ports
• Simplify L2 Paths by supporting loopfree non-blocking concurrent L2 paths
• Dual-homed server operate in active-active mode
• Provide fast convergence upon link/device failure
Scaling the Network Fabric – Virtual Port Channel vPC)
18
Logical Topology without vPC
Logical Topology with vPC
Aggregation
Access
Aggregation
Access
MCEC
! Enable vpc on the switch
dc11-5020-1(config)# feature vpc
! Check the feature status
dc11-5020-1(config)# show feature | include vpc
vpc 1 enabled
Connectivity
19 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
• vPC is a Port-channeling concept extending link aggregation to two separate physical switches
• vPC allows a single device to use a port channel
across two neighbor switches (vPC peers)
• vPC Peer link is used to synchronize state between
vPC peer devices, must be 10GE
• Eliminates STP blocked ports/STP delays/Calculations
and uses all available uplink bandwidth (active/active)
‒ Does not actually turn off STP – FabricPath does this
• Supported in NX-OS switches only
• Recommended to always use LACP for dynamic LAG
• vPC Design & Best Practices Guide:
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/C07-572830-
00_Agg_Dsgn_Config_DG.pdf
What is a Virtual Port Channel (vPC)?
VPC PEER LINK
Connectivity
20 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why use vPC? – Multi-Chassis Etherchannel (MEC)
VPC PEER LINK
No Port Channel: STP Allows only one active link Sub-optimal flows and resource usage
Single-Chassis LACP Port Channel: Both links active but no device redundancy (single switch)
vPC Multi-Chassis LACP Port Channel: Both links active, optimal redundancy, all links active
LACP Load Balance src-dst-IP (hash)
LACP Load Balance src-dst-IP (hash)
Connectivity
21 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPC with Multiple ASAs – A/S or A/A Failover
• Part of CVD architecture since in July 2011
• vPC ensures zero packet loss in the event of a link failure to the
firewall, a firewall failure, a switch failure, VDC reset, or vPC peer-
link loss
‒ Works with both A/S and A/A failover (and with ASA 9x Clustering)
• Allows ASA to participate in necessary DC redundancy technologies
with expected flow asymmetry
• ASA is only DC Firewall on market that can simultaneously:
1. Run standards-based LACP for Dynamic LAG to Nexus vPC/vPC+ or Cat6K
VSS with proper bundling semantics
no traffic black holes or loss of state due to expected flow asymmetry / out-of-order packets
2. Supports all of the same LACP load balancing hash values as the switch
fabric(s) [def. = src-dst IP]
3. Able to support dynamic LAG (LACP) in all modes: Routed / Transparent /
Multi-context / Mixed-context(s) / Clustering
4. Successfully handles the expected flow asymmetry and out-of-order packets
from Multiple chassis simultaneously
VPC PEER LINK
N7K VPC 41 N7K VPC 40
State and Failover links
ASA channel 32
Connectivity
North Zone
VLAN 200
South Zone
VLAN 201
Trunks
VPC
VLAN 200
Outside
VLAN 201
Inside
interface TenGigabitEthernet0/6
channel-group 32 mode active vss-id 1
no nameif
no security-level
!
interface TenGigabitEthernet0/7
channel-group 32 mode active vss-id 2
no nameif
no security-level
!
interface BVI1
ip address 172.16.25.86 255.255.255.0
!
interface Port-channel32
no nameif
no security-level
!
interface Port-channel32.201
mac-address 3232.1111.3232
vlan 201
nameif inside
bridge-group 1
security-level 100
!
interface Port-channel32.200
mac-address 3232.1a1a.3232
vlan 200
nameif outside
bridge-group 1
security-level 0
ASA Connecting to Nexus with vPC (basic)
Connectivity
VPC PEER LINK
interface Ethernet4/1
switchport mode trunk
channel-group 40 mode active
no shutdown
!
interface Ethernet4/2
switchport mode trunk
channel-group 40 mode active
no shutdown
!
interface port-channel4 0
switchport
switchport mode trunk
switchport trunk allowed vlan 1,200,201 vpc 40
!
vpc domain 10
role priority 50
peer-keepalive dest 10.1.1.2 source 10.1.1.1 vrf
vpc-mgmt
peer-gateway
N7K VPC 40
Note:
Example shows only one side of config: N7K1 and ASA1.
Full configuration would be assumed.
ASA connected to Nexus with vPC and establishing an
internal DC zone pair between VL200 (N) and VL201(S).
ASA is deployed using transparent (L2) mode in this
example to minimize network fabric modification(s) – Will
be discussed in detail later
ASA channel 32
ASA Connecting to Nexus with vPC (Best Practices Shown)
Connectivity
Aggregation Layer
L2
L3
FW HA
VPC VPC
VPC
DC Core / EDGE
VPC VPC
FHRP FHRP
SVI VLAN200 SVI VLAN200
North Zone
VLAN 200
South Zone
VLAN 201
Trunks
VLAN 200
Outside
VLAN 201
Inside
• ASA connected to Nexus using multiple
physical interfaces on vPC
‒ ASA can be configured to failover after a
certain number of links lost (when using HA)
• Note that vPC identifiers are different
for each ASA on the Nexus switch (this
changes with ASA clustering feature
and cLACP [not yet shown])
N7K VPC 40 N7K VPC 41
ASA channel 32
VPC PEER LINK
VPC PEER LINK
Access Layer
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Design Building Blocks
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Building Block: Segmentation
• While not a security technology, segmentation has long been used as a means for
grouping similar resources in order to apply specific configuration or policy
• Sometimes there is a technical benefit with segmentation
• An example is using VLANs to reduce the L2 broadcast domain and improve network
efficiency
• VRF (Virtual Routing and Forwarding) typically used for virtualizing L3 services
• VDCs (Virtual Device Context) on the Nexus platforms allow multiple, independent
virtualized switches inside of a single physical switch
• Zones are a common term to refer to units in the data centre that share a common trait and
can reduce operational complexity with both physical and virtualized hosts and services
25
Segmentation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Security Building Block: Segmentation
Nexus 7000
1. Virtual Device Context
2. Virtual Routing/Forwarding (VRF)
VRF-Lite can be easily used as it does not require MPLS
3. VLANs
4. Security Group Tags (SGT in packet)
5. 802.1AE MACSEC Encryption
ASA
6. Virtual Firewall Context (Virtualized Firewall)
6 Degrees of Separation
Nexus 7K
ASA
CTX1 CTX2 CTX3
VLANx1
VLANx2
VLANy1
VLANy2
VLANz1
VLANz2
SGT
802.1AE (encrypt)
SGT SGT SGT SGT SGT
Segmentation Building Blocks
Segmentation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firewall Design: Modes of Operation
• Routed Mode is the traditional mode of the firewall. Two or more interfaces that separate L3 domains
• Transparent Mode is where the firewall acts as a bridge functioning mostly at L2
• Multi-context mode involves the use of virtual firewalls, which can be either routed or transparent mode
• Mixed mode is the concept of using virtualization to combine routed and transparent mode virtual firewalls
• Transparent mode firewall offers some unique benefits in the DC
28
Segmentation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why Deploy Transparent Mode?
• Existing Nexus Network Fabric does not need to be modified to employ L2 Firewall!
• Simple as changing host(s) VLAN ID
• Firewall does not need to run routing protocols / become a segment gateway
• Firewalls are more suited to flow-based inspection (not packet forwarding like a router)
• Routing protocols can establish adjacencies through the firewall
• Protocols such as HSRP, VRRP, GLBP can cross the firewall
• Multicast streams can traverse the firewall
• Non-IP traffic can be allowed (IPX, MPLS, BPDUs)
• (CVD) 9 of 10 internal zoning scenarios recommends Transparent FW (L2) deployed
versus Routed Firewall (L3)
29
Segmentation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firewall - Transparent Mode
• Firewall functions like a bridge (“bump in the wire”) at L2, only ARP packets pass without an explicit ACL
• Uses traditional ACLs on the firewall
• Does not forward Cisco Discovery Protocol (CDP)
• Same subnet exists on all interfaces in the bridge-group
• Different VLANs on inside and outside interfaces
• In addition to Extended ACLs, use an EtherType ACL to restrict or allow L2 protocols
L2 Firewall
30
Segmentation
North Zone
VLAN 200
South Zone
VLAN 201
VPC
VLAN 200
Outside
VLAN 201
Inside
interface TenGigabitEthernet0/6
channel-group 32 mode active vss-id 1
no nameif
no security-level
!
interface TenGigabitEthernet0/7
channel-group 32 mode active vss-id 2
no nameif
no security-level
!
interface BVI1
ip address 172.16.25.86 255.255.255.0
!
interface Port-channel32
no nameif
no security-level
!
interface Port-channel32.201
mac-address 3232.1111.3232
vlan 201
nameif inside
bridge-group 1
security-level 100
!
interface Port-channel32.200
mac-address 3232.1a1a.3232
vlan 200
nameif outside
bridge-group 1
security-level 0
Server in
VLAN 201
VPC
Trunk Allowed 1,201
Transparent Mode Configuration in the DC (2 interfaces)
SVI VLAN200 172.16.25.253 FHRP – 172.16.25.1
SVI VLAN200 172.16.25.254 FHRP – 172.16.25.1
172.16.25.86/24
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firewall - Mixed Mode vFW Contexts
• Mixed Mode is the concept of using virtual firewalls, some in routed mode and some in transparent (L2)
mode
• This is only supported on the ASA running at least v9.0 or any ASA-SM version
• Up to 8 pairs of physical interfaces are supported per context
• This could conceivably allow both the Edge (L3) firewall and Internal (L2) firewall to live on the same set of
physical appliances
mode multiple
context context1
firewall transparent
allocate-interface vlan99 outside
allocate-interface vlan100 inside
config-url disk0:/ctx1.cfg
member gold
context context2
allocate-interface vlan200 outside
allocate-interface vlan210 inside
config-url disk0:/ctx2.cfg
Segmentation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Physical and Virtual Internal Zoning
Example Internal Zoning for DEV – Option 1
Physical Separation
Model could provide for Application load testing.
If dedicated path through Core is required,
consider using a DEV vRF
If dedicated Edge is required, consider using
vFW Contexts on edge ASAs or a separate
(lower-end) ASA PAir
DEV VDC Created on Nexus 7K, attached to
CORE VDC and supporting its own PoD
ASAs in Aggregation layer could be oriented in
several ways.
1- Single ASA Cluster with separate vFW
Contexts for the DEV zones – Would require
ports on the ASA are physically connected to
each VDC
2- Separate ASA Clusters with or without vFW
Contexts
Compute structure creates a mirrored server
environment for DEV operating on it own PoD
DC Edge
Internet /
Extranet
DC Core VDC (Routed)
Prod Aggregation Layer
VDC
L2
L3
FW CLUSTER(s)
PoD
BGP/OSPF
Core
ASA A/S HA
Virtual
Access Layer
Virtual Switch
Hypervisor
Dev Aggregation Layer
VDC
PoD
CTX CTX
Virtual Switch
Hypervisor
DEV VRF
DEV VRF
DEV VRF
DEV Compute Zone PROD Compute Zone
CTX
Internal Zoning
DC Edge
Internet / Extranet
DC Core VDC (Routed)
Aggregation Layer VDC L2
L3
FW CLUSTER
BGP/OSPF Core
ASA A/S HA
Virtual Access Layer
Example Internal Zoning for DEV – Option 2
Virtual Separation
Virtual Separation model uses a shared
Physical Infrastructure (Nexus) for routing and
transport
ASAs are used to separate DEV and PROD
traffic
Virtual resources can share physical Server
Hardware and PoD. Security implemented
similarly than to a Secure Multi Tenant
environment
Internal Zoning
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtualization Security Concerns
Policy Enforcement
‒ Applied at physical server—not the individual VM
‒ Impossible to enforce policy for VMs in motion
Operations and Management
‒ Lack of VM visibility, accountability, and consistency
‒ Difficult management model and inability to effectively troubleshoot
Roles and Responsibilities
‒ Muddled ownership as server admin must configure virtual network
‒ Organizational redundancy creates compliance challenges
Machine Segmentation
‒ Server and application isolation on same physical server
‒ No separation between compliant and non-compliant systems…
Internal Zoning
Internal Zoning
Cisco Virtual Networking and Cloud Network Services
WAN Router Servers
Tenant A ASA 1000V
Cloud Firewall
Nexus 1000V Physical Infrastructure
Virtualized/Cloud Data Center
vWAAS
Cisco Virtual Security Gateway
Switches
Cloud Network Services
Citrix NetScaler
VPX
Imperva SecureSphere
WAF Cloud Services Router 1000V
Zone A
Zone B
vPath VXLAN
Multi-Hypervisor (VMware, Microsoft*, RedHat*, Citrix*)
Nexus 1000V (Dist. Virtual Switch)
• Distributed switch
• NX-OS consistency
VSG (Zone-based FW)
• VM-level controls
• Zone-based FW
ASA 1000V (Cloud FW)
• Edge firewall, VPN
• Protocol Inspection
vWAAS (WAN Optimization)
• WAN optimization
• Application traffic
7000+ Customers Available Now Available Now Available Now
CSR 1000V (Cloud Router)
• WAN L3 gateway
• Routing and VPN
1H 2013
Ecosystem Services
• Citrix NetScaler VPX virtual ADC
• Imperva Web App. FW
N1110: 1H CY2013 vPath: 2H CY2013
vNAM (Network Analytics)
• App Visibility (L2-L7)
• Overlay Intelligence (OTV, VXLAN, FP**)
PoC: 1H 2013
**FP: FabricPath **MSFT: 2Q CY2013; Open-source: In PoC
Network
Analysis
Module
(vNAM)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Managing Virtual Networking Policy
Network
Team
Server
Team
Management and
Monitoring Roles and
Responsibilities
Isolation and
Segmentation
Security
Team Nexus 1000V (1110/1010)
Non-disruptive operation model to maintain
current workflows using Port Profiles
Maintain network security policies with
isolation and segmentation via VLANs,
Private VLANs, Port-based Access Lists,
Cisco Integrated Security Features
Ensure visibility (VM Introspection) into
virtual machine traffic flows using traditional
network features such as ERSPAN and
NetFlow
Nexus 1000V
Internal Zoning
Cisco’s Virtual Security Portfolio
• Secures traffic between virtual
machines within a tenant
• Layer 2 and 3 firewall to secure
east-to-west traffic
• ACLs using network attributes
and virtual machine attributes
• First-packet lookup and
performance acceleration using
vPath
• Secures the tenant edge
• Default gateway; Layer 3 firewall
to secure north-to-south traffic
• Edge firewall capabilities including
network attribute-based ACLs,
site-to-site VPN, NAT, DHCP,
inspections, and IP audit
• All packets go through the Cisco
ASA 1000V
Cisco® VSG Cisco ASA 1000V
Intra-Tenant
Security
Tenant-Edge
Security
Internal Zoning
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Security Gateway
ASA 1000V
Nexus 1000V
Ingress/Egress multi-tenant edge
deployment
Zone based intra-tenant
segmentation of VMs
Nexus 1000V
Virtual Service Nodes
Hypervisor
vPATH
Network Admin Security Admin Server Admin
vCenter Nexus 1KV VNMC
Security for Virtualization Internal Zoning
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Microsegmenation
Policy Per Zone, Per VM, Per vNIC
Zone A
vApp
vApp
Nexus 1000V vPath
VSG VSG
VSG
Virtual ASA
Virtual ASA
vSphere Nexus 1000V
vPath
vSphere
Zone B Zone C
Control ingress/egress & inter-VM traffic Firewall, ACL, VM Attributes
Enable Dynamic Provisioning
Mobility Transparent Enforcement
Administrative Segregation
Server • Network • Security
Internal Zoning
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Physical to Virtual
48
Virtual Switch
Hypervisor
Virtual Switch
Hypervisor
• Zones used define policy
enforcement
• Unique policies and traffic
decisions applied to each zone
• Physical Infrastructure mapped
per zone
‒ VRF, Virtual Context
• Merging physical and virtual
infrastructure
Steer VM traffic to Firewall
Context
Segment pools of
blade resources per
Zone
Internal Zoning
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
vPath Intelligence: Service Chaining
• vservice node ASA1 type asa
ip address 172.31.2.11
adjacency l2 vlan 3770
• vservice node VSG1 type vsg
ip address 10.10.11.202
adjacency l3
• vservice path chain-VSG-ASA
node VSG1 profile sp-web order 10
node ASA1 profile sp-edge order 20
• port-profile type vethernet Tenant-1
org root/Tenant-1
vservice path chain-VSG-ASA
ASA 1000V and VSG
49
Defining the Service Node on Nexus 1000V
Chain the Service Nodes Order is inside to outside
Enable the Service Chain Per Port-Profile
Internal Zoning
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Firewall and Physical Network
ASA 1000V Deployment
50
Hypervisor Nexus 1000V
vPath
Hypervisor
Nexus 1000V vPath
Hypervisor
Protected VRF
Sub Zones
10.1.1.252 10.1.1.253
10.1.2.254
Nexus 1000V vPath
ASA 1000V
ASA 5585 Layer 3
10.1.1.254 Layer 3
10.1.3.254
Layer 3
10.1.2.254
Layer 2
Core
Aggregation
ASA 5585
Internal Zoning
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multi-Tier Application Architecture
• Tier Deployment
• Multi-Tier application architectures
• Application vendor often has specific recommendations on
how to deploy an application
• Can consist of
• Web (presentation) tier
• Application tier
• Database tier
• Web and Application services can be on physically separate
servers or collapsed into single in some cases
• Normal flow is often client->web->application->database
• No direct client to database communication
• Servers may be clustered for high availability. Often uses
layer 2 multicast protocol for state exchange
Edge Firewall
51
Web
Server Web
Server
Permit Only Port
80(HTTP) of Web Servers
Permit Only Port 22
(SSH) to application
servers
Only Permit Web servers
access to Application servers
Web
Client
Web-zone
DB
server DB
server
Database-zone
App
Server App
Server
Application-zone
Only Permit Application servers
access to Database servers
Block all external access
to database servers
ASA 1000V
Internal Zoning
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Edge ASAs may implement a specific context for
Compliance needs or a distinct pair of ASA s may be
used
Nexus 7K carries traffic from ASA Context across
vRF – PCI VRF – Moves packets across routed Core
to PCI Distribution VDC
Security Group Access with MACSEC can be used on
the Nexus 7000 to provide hop-by-hop encryption
Dedicated ASAs (or vFW Context(s)) in Distribution
Layer VDC invoke North-South Security Policy,
possibly even enforcing using the SGT (via SXP)
limiting compliant access to only the PCI Zone
Servers by network, service or application
Within Virtual Access Layer dedicated Server
hardware is recommended for Security (compliance)
Additional port profiles may be created and leverage
the Virtual Security Gateway (VSG) for East-West
zoning between VMs in the DMZ
ASA1000v can also be used to implement a Secure
IPSec VPN to another secure destination
DC Edge
Internet /
Extranet
DC Core VDC (Routed)
Prod Aggregation Layer
VDC
L2
L3
FW CLUSTER(s)
PoD
Production Servers
BGP/OSPF
Core
ASA A/S HA
Virtual
Access Layer
Virtual Switch
Hypervisor
PCI Aggregation Layer
VDC
PoD
CTX CTX
Virtual Switch
Hypervisor
PCI VRF
PCI VRF
PCI VRF
Compliance Zone Servers
PCI VRF
CTX CTX
SGT
802.1AE
(encrypt) SGT SGT
SGT
IPSec
PCI Compliance Design Option –
Physical Separation with VDC
Compliance
© 2012 Cisco and/or its affiliates. All rights reserved. 54 CISCO CONFIDENTIAL INTERNAL USE ONLY
Thank you.