Cisco ACI Segmentation Migration

Bookmark

2 people launched

Solution Overview

Over the past few years many customers deploying ACI have opted for using the “Network-Centric” approach for implementing their ACI installations. A few reasons for this were the difficulty in having Application Dependency Mappings for the workloads they were migrating, and the shortcoming of Bridge Domain flooding across multiple subnets with a single bridge domain which is typical in ” Application-Centric” mode.

This schedulable lab will introduce you to creating and migrating workloads to a Application Centrtic environment, then running verification testing against the environment. The migration will be done manually then automation scripting will be used to migrate.

Goals & Objectives

In this lab, your objective is to segment four critical applications called “App1,2,3,4” using ACI contracts and filters which act as a distributed firewall.

You will essentially be establishing a protective barrier around the application and protecting it from BOTH North-South attacks and East-West attacks. The control utilized at this barrier will be a ACI firewall, more specifically ACI’s contracts and filters. ACI uses a white list model that prevents any device inside of a End Point Group to communicate to another device in a second End Point Group(EPG) without a contract and filters to allow communication.

Hardware & Software

This lab is based on physical devices as follows

APIC running 4.0 codebase
ESXi environment running 6.5 codebase
Virtual machines running Linux with a 3 tier application for simulations of segmenting 3 tier applications.

Cisco ACI Segmentation Migration

Goals & Objectives

Hardware & Software

Technologies

Contributor

Michael Witte

WWT