Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
Application Centric Infrastructure
Alexander Stoklasa
Consulting Systems Engineer
27 März 2014
How to address security and compliance in the next generation data center using software defined networking concepts
Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Today’s Challenges
Security inside of the DC
How to steer traffic to security devices
Auditability & Compliancy
Keep Critical Services Running
Cost Efficient
Provide Visibility: Users, Devices,
Activities
Secure virtual & physical
Cisco Confidential 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
“Through 2018, more than 95% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws.”
Greg Young, Gartner Inc
Cisco Confidential 4© 2013-2014 Cisco and/or its affiliates. All rights reserved.
APPLICATION
SECURITY
Web
TierApp
Tier
DB
Tier
Trusted
ZoneDB
Tier
DMZ
External
Zone
Cloud
Application Admin
Security Admin
Network Admin
Cloud Admin
Today’s Challenges cont’d
Different view’s and languages to describe the same thing
Cisco Confidential 6© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Application Admin
Security Admin
Network Admin
SECURITY
Trusted
ZoneDB
Tier
DMZ
External Zone
APPLICATION
COMMON POOL OF RESOURCES
Cloud Admin
Cloud
Application Centric Infrastructure GoalCommon Policy and Operations Framework
APIC
Cisco Confidential 7© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Forget everything you know
about networking for the
remainder of this sessionBelieve!
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Cisco Confidential 8© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Policy and the Network
8
Developers
Application
Tiers
Provider /
Consumer
Relationships POLICY MODEL
VLANs
Subnets
Protocols
Ports
Forget everything you
know about networking
for the remainder of
this session
Cisco Confidential 9© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Definition of an Endpoint in ACI
• Device connected to network directly or indirectly
• Can be physical or virtual port (VM port group)
• VLAN ID
• VXLAN (VNID)
• IP address/ IP Prefix
• DNS name *
• Layer 4 ports *
Server
VM
Virtual Machine
Storage
*) Future
Daemon/Service
HTTP
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Cisco Confidential 10© 2013-2014 Cisco and/or its affiliates. All rights reserved.
End-Point Group (EPG)
HTTPS
Service
HTTPS
Service
HTTP
Service
HTTP
Service
EPG - Web
EPGs are a grouping of end-points representing application or application
components independent of other network constructs such as Vlans.
POLICY MODEL
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Cisco Confidential 11© 2013-2014 Cisco and/or its affiliates. All rights reserved.
SLA
Forwarding
QoS
Security/Filter
Service Graph
Load
Balancing
CONTRACT
EPG - Web EPG - App EPG - DB
Contracts
Contracts define the way in which EPGs interact.
POLICY MODEL
Contract HTTP
Contract SQL & NFS
Unidirectional
Communication
Bidirectional
Communication
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Cisco Confidential 12© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Inbound/Outbound
PoliciesInbound/Outbound
Policies
Application Network Profile
Application Network profiles are a group of EPGs and the policies/contracts
that define the communication between them.
POLICY MODEL
=
EPG - Web EPG - App EPG - DB
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved.
SLA
Forwarding
QoS
Security/Filter
Load
Balancing
Service Graph
CONTRACT
SLA
Forwarding
QoS
Security/Filter
Load
Balancing
Service Graph
CONTRACT
Application Network Profiles (ANP)Visualization of Application-Health
POLICY MODEL
SLA
Forwarding
QoS
Security/Filter
Load
Balancing
Service Graph
CONTRACT
Latency
Health
Score82%
Systems
Telemetry25 Packets
dropped
Isolation
Application 1
Telemetry
Cisco Confidential 14© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ACI service redirection policy
• Automated and scalable L4-L7 service insertion
• Packet match on a redirection rule sends the packet into a services graph.
• Service Graph can be one or more service nodes pre-defined in a series.
POLICY MODEL
WEBOutside
Application
AdminChain
“FW_ADC 1”
Policy-
based
Redirection
Service
Admin
EndBegi
n
FW
_A
DC
1
SLB
Stage
1
Stage
n
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Cisco Confidential 16© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Centralized Compliance
and Auditing
Import / Export Policy via API
(Support for External Policy Engines)
Automated Services
Chaining
Engineering LegalSales HR Finance Marketing
Complete Isolation with
Full Scalability and
Security
Policy Separated from
Network Forwarding
Policy
Engine
ENABLING A DYNAMIC ENTERPRISE WITHOUT COMPROMISE
Encrypted Controller
Communication
Advanced Role Based
Access ControlAPIC
Cisco Confidential 17© 2013-2014 Cisco and/or its affiliates. All rights reserved.
TENANT AND APPLICATION
AWARE
READ / WRITEALL FABRIC INFO
PUBLISHED DATA MODEL OPEN SOURCE
Comprehensive access to underlying information model
Industry Standard Compliant and CertifiedFlexPod
APIC
Cisco Confidential 18© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Key Takeaways
• Policy-driven infrastructure and service
management through contracts
• True network abstraction without
compromising visibility & security
• Application Level Visibility
• Consistent model for physical, virtual and
cloud
• Open and strong ECO System
Thank you.