Cisco ACI Segmentation Migration Lab

25 Launches
Solution Overview
Over the past few years many customers deploying ACI have opted for using the “Network-Centric” approach for implementing their ACI installations. A few reasons for this were the difficulty in having Application Dependency Mappings for the workloads they were migrating, and the shortcoming of Bridge Domain flooding across multiple subnets with a single bridge domain which is typical in ” Application-Centric” mode. 

This schedulable lab will introduce you to creating and migrating workloads to an Application Centric environment, then running verification testing against the environment. The migration will be done manually then automation scripting will be used to migrate.

Before You Get Started...

Watch this video demonstration of what you will find in the lab or read this white paper to learn more about segmenting complex environments with Cisco ACI.

Goals & Objectives

In this lab, your objective is to segment four critical applications called “App1,2,3,4” using ACI contracts and filters which act as a distributed firewall.   

You will essentially be establishing a protective barrier around the application and protecting it from BOTH North-South attacks and East-West attacks.  The control utilized at this barrier will be a ACI firewall, more specifically ACI’s contracts and filters. ACI uses a white list model that prevents any device inside of a End Point Group to communicate to another device in a second End Point Group(EPG) without a contract and filters to allow communication. 

Hardware & Software

This lab is based on physical devices as follows
  • APIC running 4.0 codebase
  •  ESXi environment running 6.5 codebase
  • Virtual machines running Linux with a 3 tier application for simulations of segmenting 3 tier applications.