Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Speaker information
Contact information:
David Anderson
Solutions Architect
Borderless Security team US
E-mail: dma1@cisco.com
Focus areas:
Takeaways
To effectively integrate security must understand the core data
center fabric technologies and features: VDC, vPC, VRF, server
virtualization, traffic flows
Security as part of the core design
Designs to enforce microsegmentation in the data center
Enforce separation of duties in virtualized and cloud environments
Security to enforce continuous compliance
Data Center
Primer:
Terms and
Technology
Virtual
Machines
VSwitch
Storage
& SAN
Compute
Access
Aggregation
and Services
Core
Edge
IP-NGN
Backbone
Virtual Device
Contexts
Fabric-Hosted
Storage
Virtualization
Virtual Device
Contexts
Internet
IP-NGN
Service Profiles
Virtual Machine
Optimization
Port Profiles & VNLink
Application Control
(SLB+)
Service Control
Fibre Channel
Forwarding
Fabric Extension
Partners
Virtual
Machines
VSwitch
Storage
& SAN
Compute
Access
Aggregation
and Services
Core
Edge
IP-NGN
Backbone
Virtual Device
Contexts
Firewall Services
Fabric-Hosted
Storage
Virtualization
Intrusion Detection
Internet
Virtual Device
Contexts
Secure Domain
Routing
Storage Media
Encryption
IP-NGN
Service Profiles
Port Profiles & VNLink
Virtual Firewall
Edge and VM
Virtual Machine
Optimization
Partners
Fibre Channel
Forwarding
Fabric Extension
Line-Rate NetFlow
Application Control
(SLB+)
Service Control
Virtual Contexts for
FW & SLB
Virtualization specifics
App
Server
Database
Server
Hypervisor
Apply hypervisor-based
network services
Web
Server
App
Server
Database
Server
Hypervisor
VLANs
Virtual Contexts
VSN
VSN
Virtual Service Nodes
Physical Firewalls
ASA Services Module
Web
Server
App
Server
Database
Server
Hypervisor
VLANs
Virtual Contexts
VSS
vPC
peer link
VSL
MCEC
EC
Active
Presentation_ID
MCEC
vPC
EC
EC
Active
Standby
Cisco Confidential
vPC
EC
Standby
VSS
peer link
VSL
vPC
vPC
EC
EC
Active
MCEC
EC
Standby
Active
Presentation_ID
MCEC
EC
Standby
Cisco Confidential
Virtualization Concerns
Policy Enforcement
Applied at physical servernot the individual VM
Impossible to enforce policy for VMs in motion
Operations and Management
Lack of VM visibility, accountability, and consistency
Difficult management model and inability to effectively
troubleshoot
Web
Server
App
Server
DB
Server
Hypervisor
VLANs
Virtual Contexts
Web
Server
App
Server
Database
Server
Hypervisor
Nexus 1000V
ASA 1000V
VSN
VSN
Virtual Service Nodes
ASA 1000V
Extending network services to
virtualized environments
Extending networking to virtualized
environments
Nexus 1000V
vPath
VM
VM
VM
VM
VM
VM
VM
VM
VNMC
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Nexus 1000V
Distributed Virtual Switch
vPath
Decision
Caching
Initial Packet
Flow
ASA
1000V
VSG
Virtual
Security
Gateway
(VSG)
Virtual Network
Management
Center
(VNMC)
Context aware
Security
Zone based
Controls
Dynamic, Agile
Best-in-class
Architecture
Non-Disruptive
Operations
Policy Based
Administration
Designed for
Automation
vPath
High availability
ASA 1000v
Tenant B
Tenant A
VDC
VDC
vApp
VSG
vApp
VSG
Virtual ASA
Virtual ASA
vPath
vSphere
Nexus 1000V
vCenter API
Design Fundamentals
Web
Web
Server
Server
Web
Client
Web-zone
App
App
Server
Server
DB
DB
server
server
Application-zone
Database-zone
Important
Careful attention should be given to where the servers default
gateway resides
Can be disruptive to introduce changes to where the gateway
resides. Non-greenfield designs require flexibility for deploying
new services. Ex. From switch to service appliance
Service introduction ie. Firewall, Web security, load balancing, can
all have an impact on data center traffic flows
Design with the maximum amount of high availability: know your
failover and failback times, traffic paths during failover scenarios
Multicast support considerations for L2 vs L3 services
Aggregation
ASA
w/ IPS
Access:
Top of Rack
Zone A
Zone C
vApp
vApp
vSphere
vSphere
Steer VM traffic to
Firewall Context
Virtual Switch
vSphere
Segment pools of
blade resources
per Zone
Virtual Switch
vSphere
34
Physical ASA
Aggregation
VLAN 10
192.168.10.1
VLAN 20
VRF
192.168.20.1
ASA
Virtual Context
(Layer 2)
Access
Zone A
Zone B
Zone C
vApp
vApp
vSphere
vSphere
Microsegmenation:
Per Zone, Per VM, Per vNIC
Aggregation
VLAN 10
VLAN 20
IPSEC
Virtual ASA
Virtual ASA
Zone B
Zone A
VSG
vPath
vSphere
Nexus 1000V
Zone C
Tenant B
VDC
VDC
vApp
VSG
VSG
vApp
vPath
vSphere
Nexus 1000V
VSG
vEth
vEth
vEth
vEth
Mgmt
vPath
Production
Nexus 1000V
VMNIC 1
Storage
VMNIC 2
VMNIC 3
ASA 1000V
VMNIC 4
Management Network
Production Network
Production
Network
vCenter
VNMC
Storage
ERSPAN DST
Intrusion Detection
NetFlow Analyzer
ID:1
NetFlow
SPAN
Zone B
Zone C
VDC
VDC
vApp
VSG
VSG
vApp
vPath
vSphere
Nexus 1000V
Guidance
All virtual components in scope
vPath
VSG
vEth
vEth
vEth
Mgmt
Storage
Production
Nexus 1000V
VMNIC 2 VMNIC 3
ASA
1000V
VMNIC 4
Design Details
Traditional Model
Services are Aggregated at the Distribution
Layer
Single or Multi-Tenant zone based
segmentation
Virtual Context create security zones from the
DC edge to the Virtual Machine
VRF->Firewall->VLAN->Virtual Switch->Virtual
Firewall->vNIC->VM
EtherChannel and vPC provide loop-free
Layer 2 environment
Visibility and control for vm-to-vm flows
L2 Boundary
L3
Routed
Core
L2 Boundary
ASA Details
v201 - Outside
v205 Service-Out
BVI-2
10.1.204.199
[Po1.204]
[Po1.205]
BVI-1
10.1.200.199
[Po1.200]
[Po1.201]
v204 Service-In
v200 Inside
channel-group 1 mode passive
5585-1
Twain
5585-2
Voltaire
vPC10
vPC9
7k-1
AGGVDC
7k-2
AGGVDC
L2 Boundary
L3
Routed
Core
L2 Boundary
1/
7
Catalyst 6500
Channel-Group 1 mode on
6506-1
ASA-SM
WestJet
ASA SM
7k-1
AGG-VDC
7k-2
AGG-VDC
Nexus 7000
Channel-Group 2 mode active
vPC2
6506-2
ASA-SM
Airbus
ASA SM
Catalyst 6500
Channel-Group 2 mode on
ASA SM
v220 Inside
ASA SM Details
interface Vlan221
mac-address
b414.89e1.2222
ip address
10.1.221.252/24
hsrp 21
preempt
priority 105
ip 10.1.221.254
interface port-channel1
switchport
switchport mode trunk
vpc 1
BVI2
ip address
10.1.221.199
interface Vlan220
nameif inside
bridge-group 2
security-level 100
!
interface Vlan221
nameif outside
bridge-group 2
security-level 0
vPC1
6506-1
ASA-SM
WestJet
ASA SM
7k-1
AGG-VDC
7k-2
AGG-VDC
interface Vlan221
mac-address
b414.89e1.3333
ip address
10.1.221.253/24
hsrp 21
preempt
priority 100
ip 10.1.221.254
interface port-channel2
switchport
switchport mode trunk
vpc 2
vPC2
6506-2
ASA-SM
Airbus
ASA SM
Aggregation
VDC
v201 - Outside
Layer 3
GW:
10.1.200.254
Layer 2
v200 Inside
Simple design.
Firewall part of layer 2
failure domain.
VRF
North
VRF
North
ASA HA Pair 1
ASA HA Pair 2
VRF
South
VRF
South
be layered in as needed
ASAs can be virtualized to for 1x1 mapping
to VRFs
Aggregation
VDC
v200
VRF GW:
10.1.200.254
To Agg switch
1/2
5k-1
Inara
PortChannel111
1/17
1/17
1/18
1/18
1/12
1/11
VMNIC
#2
VMNIC
#3
1/2
1/1
5k-2
Jayne
1/11
1/12
VMNIC
#3
VMNIC
#2
ESX1
ESX2
vEth
ESX Host 1
192.168.100.199
VNMC
192.168.100.20
VSG-1
192.168.100.30
VSM-1
192.168.100.50
HR
Server #1
10.1.200.50
vEth
vEth
Finance
Server #2
10.1.200.101
HR
Server #2
10.1.200.5
1
vEth
Finance
Server #1
10.1.200.100
ESX Host 2
192.168.100.198
VSG-2
192.168.100.31
Domain 90
VSM-2
192.168.100.51
Domain 1
Deny HR to Finance
VMNIC
#3
VMNIC
#2
VMNIC
#3
VMNIC
#2
ESX1
ESX2
vEth
vEth
HR
Server #1
10.1.200.50
vEth
vEth
Finance Server
#2
10.1.200.101
HR
Server #2
10.1.200.5
1
Finance
Server #1
10.1.200.100
VSM-2
192.168.100.51
Domain 1
Policy Hierarchy
Nexus 1000V
VSG
ISE
RADIUS (Access Request)
EAPOL (dot1x)
10.1.204.126
Finance
Finance
Finance
HR
10.1.200.254
Nexus 7000
Agg VDC
HR
Server #1
10.1.200.50
ASA
VSG
Finance Server
#1
10.1.200.100
ISE
ISE Authentication
Catalyst
6500
ISE
Driving Simplicity:
Data Center Design Resources
from Cisco
ASA 5585-X
vPC
vPC
Catalyst
6500
Firewall
NAM
VSS
SERVICES
ACE
ESA
IPS
WSA
Cisco Secure
Data Center
Internet
Edge
Data Center
Distribution
SAN
Nexus 7018
Nexus 7018
TrustSec
Consistent enforcement of security policies
with Security Group ACL, and to control
access to resources based on user identity
and group membership.Link level data
integrity and confidentiality with standard
encryption.
vPC
vPC
vPC
vPC
vPC
vPC
Nexus
5000
Series
Nexus
7000
Series
Zone
Unified
Computing
System
Nexus
1000V
Multi-Zone
Zone
Stateful Packet
Filtering
Additional Application
Firewall Services for
Server Farm zone
vPC
SERVICES
Nexus
2100
Series
vPC
VSS
Server Load
Balancing
Masks servers and
applications and
provides scaling
Unified Compute
Web and Email
Security
Security and filtering
for Web and Email
applications
Catalyst
6500ASA
ACE
NAM
IPS
Virtual Service
Nodes
Q&A
#CiscoPlusCA