Cisco ACI Segmentation Migration

2 people launched
Solution Overview
Over the past few years many customers deploying ACI have opted for using the “Network-Centric” approach for implementing their ACI installations. A few reasons for this were the difficulty in having Application Dependency Mappings for the workloads they were migrating, and the shortcoming of Bridge Domain flooding across multiple subnets with a single bridge domain which is typical in ” Application-Centric” mode. 

This schedulable lab will introduce you to creating and migrating workloads to a Application Centrtic environment, then running verification testing against the environment. The migration will be done manually then automation scripting will be used to migrate.

Goals & Objectives

In this lab, your objective is to segment four critical applications called “App1,2,3,4” using ACI contracts and filters which act as a distributed firewall.   

You will essentially be establishing a protective barrier around the application and protecting it from BOTH North-South attacks and East-West attacks.  The control utilized at this barrier will be a ACI firewall, more specifically ACI’s contracts and filters. ACI uses a white list model that prevents any device inside of a End Point Group to communicate to another device in a second End Point Group(EPG) without a contract and filters to allow communication. 

Hardware & Software

This lab is based on physical devices as follows
  • APIC running 4.0 codebase
  •  ESXi environment running 6.5 codebase
  • Virtual machines running Linux with a 3 tier application for simulations of segmenting 3 tier applications.