Brksec 3004

Deep Dive on Cisco
Security in ACI
Goran Saradzic – Security TME Manager

BRKSEC-3004
• From the Balkans - Sarajevo
• High School exchange – Houston, TX
• Enjoy skiing, so studied and settled in
Colorado
then… …and now
Joined Cisco in 2000
Introduce •
•
Couple of years in IT Services - IBM
Decade in Cisco Engineering
Myself • 7 years in Technical Marketing
Netview AIX PIX ASA ACI Hypervisor Cloud FTD
Perl Bash Expect Tcl Python PowerCLI APIs
BRKSEC-3004 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Introduction
• The Case for SDN
• Cisco Next Gen DC Security
• Orchestration and Segmentation Rock
Stars
• Deep Dive – Cisco Advanced Security in ACI

• ACI Service Graph – Redirect vs. Stitching
• Advanced Security in ACI
ASAv NGIPSv
• >>>>>>>>>> Demo <<<<<<<<<<
NGFWv
• Deployment: ASA and FTD Device Packages
• Dynamic Policy, Containment, VDI, and Multi-DC ADVANCED SECURITY IN ACI
• Security attached to EPG or in Unmanaged Graph
• Tetration in ACI
• Data sources and policy recommendation
• Conclusion
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKSEC-3004
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introduction
The Case for SDN
Business Drivers for Programmable Architectures
Rapidly developed Trying to keep up in… Deploy quickly with Apps

Elastic and scalable Resiliency & Capacity Enable dynamic access
Highest of SLAs Rate of Change & Uptime NGIPS, Malware Protection
Frequently updated [Hz, V(x)LAN, Route, TB] Defend from APT
Applications Infrastructure Protections

Software-Defined Networking Comes to the Rescue
Converging Skillsets into a Full-Stack Engineers
The new software-defined world needs teams with multiple skill sets: provision,
maintain, and monitor your network, compute, and security resources.
How do we get there:

• Adopt new strategies to enable digital transformation of your business
• Educate IT admins from each silo in automation and cross-functional skills
• Build new teams from a cross-section of IT org and design new workflows
• Begin efforts to re-write apps and re-design security services for the cloud
Cisco Next Gen DC Security
Cisco Data Centre Security
Visibility Segmentation Threat protection

“See Everything” “Reduce the Attack Surface” “Stop the Breach”
Complete visibility of users, Prevent attackers from moving Quickly detect, block, and respond to
devices, networks, applications, laterally east-west with application attacks before hackers can steal data
workloads and processes whitelisting and micro-segmentation or disrupt operations
Cisco Data Centre Portfolio Overview
Fabric Compute Analytics
ACI Fabric Spine/Leaf UCS Tetration
Fiber Interconnects
Nexus Switching
Cisco Security Portfolio Overview
Firewall/IPS/AMP Analytics Cloud
Firepower NGFW/NGIPS/AMP StealthWatch Enterprise ASAv, FMCv, NGFWv
AWS, Azure
FMC
ASAv, FMCv, NGFWv on Hypervisor
StealthWatch Cloud Umbrella & CloudLock
Cisco ASA
Application Centric Infrastructure
Robust Transport - Nexus9000 Switch Fabric Centralised Management - APIC
Orchestrate networking
and L4-L7 Services
Add any hypervisor or
physical workloads
Controls CLOS of N9ks
VLAN pooling
Any subnet anywhere
Embrace open systems, APIs, and abstracted models to benefit any type of workload
Endpoint Group (EPG): Contract: Service Graph (Chain): Programmability:
A collection of virtual or A set of rules governing A chain of L4-L7 services Northbound API to script
physical endpoints in a base or communication between inspecting traffic between full network creation, with
micro-segmented grouping endpoint groups endpoint groups. L4-L7 services
ACI Fabric Building Blocks
End Point Groups Service Graphs
Virtual or Physical Workloads Virtual or Physical L4-L7 Devices

L3 or L2
Outs
40G 10G 1G 40G 10G 1G 40G 10G
Leaf Nexus9000 Switches – Distributed Anycast GW

40G 40G 40G
Spine Nexus9000 Switches – MP BGP Control Plane
Service Automation Through Device Package Device Package
Device Specification
<dev type= “f5”>
<service type= “slb”>
<param name= “vip”>
<dev ident=“210.1.1.1”
• Service automation requires a vendor <validator=“ip”

<hidden=“no”>
<locked=“yes”>
device package. It is a zip file
containing Cisco APIC – Policy Element
− Device specification (XML file)
− Device scripts (Python)
Device Model
• Cisco® APIC interfaces with the device

using device Python scripts Cisco APIC Script Interface
• Cisco APIC uses the device
Device-Specific Python Scripts
configuration model provided in the
package to pass appropriate Device Interface: REST/CLI
configurations to the device scripts Script Engine
• Device script handlers interface with
APIC Node
Service automation
requires a vendor device
package. It is a zip file
containing
the device using its REST or CLI Device specification

(XML file)
Device scripts (Python)
interface over a security connection Device Manager

(SSL, SSH, etc.)
Service Device
Core Security Functions
Firewall vs. Inline IPS Network Integration
Protocol Intrusion
TCP Inspect, NAT, ALG
AVC, File Protection
Route to Router OSPF

FW as GW peers to FW
Routed Mode VLAN Tag Unchanged
VLAN 10 Firewall VLAN 20 VLAN 30 IPS VLAN 30
Route through
Transparent Mode Router is First Route through
Inline IPS Mode Router is First
FW to GW Hop to Host IPS to GW Hop to Host
Similar Mode
Routed L3 Bridging but not the Bump in a Wire IPS
Device Device Same
NGFW combines Traditional FW and NGIPS Functions

Evolution of the Firepower NGFW
Two Appliances One Appliance – One Image
Two Management Consoles One Management Console
1
ASA FW
Firewall URL Visibility Threats

Firewall + Inline IPS 1 + 2 ≅ 3
Firepower Threat Defence
2
(FTD)
FirePOWER NGIPS Firepower NGFW
Summer of 2013 Spring of 2016

Cisco Acquires Sourcefire Released Firepower NGFW(FTD)
Cisco Firepower Security Software Capabilities
NGFW (FTD) App
Firewall App (ASA) NGIPS Function
(ASA+Sourcefire)
ASA App Classic Sourcefire FTD App Firewall Modes
Transparent & Routed NGIPSv
FP7000/8000 FPR2100
FPR4100
FPR2100
ASAv FPR2100 NGFWv
FPR9300
FPR4100 NGFWv
FPR4100
ASA5585-X
FPR9300 FPR9300 (EoS announced)
FTD App: IPS Mode ASA + FirePOWER services
NGFW/NGIPS Bypass Capable Appliances
NGFW IPS-only Ports NGIPS
Bypass
function can
Firepower 9300 not be used FirePOWER8000
with FTD HA
or Cluster.
Firepower 4100
Firepower 2100 FTW in the works FirePOWER7000

Bypass to L1 Capabilities Port Options
Removable Network Modules (Fail-to-Wire): Bypass-capable built-in ports (Fail-Open):

• 1G – FPR9K-NM-6X1SX-F (FPR4K option) • 1G – FP7010 – FP 7125
• 10G – FPR9K-NM-6X10SR-F (FPR4K & LR option) • 1G/10G/40G – FP8120 – FP8390
• 40G – FPR9K-NM-2X40G-F (FPR4K option)
FXOS 2.0.1+, FTD 6.1+ Firepower 5.4+
Orchestration and Segmentation
Security Appliance REST-APIs, Contexts,

Zones, and Instances
FMC and ASA REST-API Explorers
API info and consoles: https://<FMC IP>/api/api-explorer and https://<ASA IP Address>/doc
Cisco ASA 9.8 Software
Campus Network
 Strict TCP State Inspection

 Tenant-edge N/S and E/W Firewall
 Who and how can communicate
 Deploy Routed or Transparent Mode vPC
 Dynamic Policy Groups to control access Context-1 Context-2

North/South East/West
 TrustSec, ACI EPGs, VM Attributes
 Routing, Bridging, and VPN Functions
 Multiple-Contexts separate Routing, Policy, ASA
Mgmt, and Interfaces.
Web App
Cisco ASA Contexts and Policies on CLI
P1-ASA5525-1/master/asa1(config)# show run context pod15
context pod15
allocate-interface Management0/0 In System Context, admin defines user
allocate-interface Port-channel10.3015 contexts with separate interfaces, policies,
allocate-interface Port-channel10.3065 routing table, and management access.
config-url disk0:/pod15.cfg
!
P1-ASA5525-1/master/asa1(config)# changeto context pod15
P1-ASA5525-1/master/asa1/pod15(config)# sh ip
System IP Addresses: Group IP addresses/subnets
Interface Name IP address Subnet mask
Management0/0 management 10.10.10.169 255.255.0.0 manually via CLI or dynamically via
Port-channel10.3015 outside 20.40.0.10 255.255.255.0 APIC, ISE/TrustSec, or vCenter.
Port-channel10.3065 web 10.50.0.10 255.255.255.0
P1-ASA5525-1/master/asa1/pod15(config-network-object)# show run object
object network __$EPG$_pod40-aprof-payroll Access Control List (ACL) governs traffic

subnet 10.50.0.0 255.255.255.0 that can pass through ASA.
P1-ASA5525-1/master/asa1/pod15(config)# show run access-list
access-list hr_to_payroll extended permit tcp security-group name HR object __$EPG$_pod40-aprof-payroll eq www
P1-ASA5525-1/master/asa1/pod15(config)# show run access-group

Access Control List (ACL) is applied to
access-group hr_to_payroll in interface outside the name of the interface (outside)
Cisco Firepower NGFW 6.2.1 Software
Campus Network
 Includes ASA Features & Modes, then adds:
 Inline IPS Mode of Insertion
 Firepower Threat-Centric Features
vPC FMC
 AVC, NGIPS, URL Filtering, AMP, Host
Outside & Web Web to App
Discovery, Identity, and ThreatGrid Zones in Zones in
FTD Rules
 Security zones for policy separation FTD Rules
 Firepower Management Centre

NGFW
Web App
Cisco NGFW Zone-Based Policies in FMC
Create Categories Security Zones Application N/S rules allow http app
and Group Rules Separate Policies Visibility and only on port 80. Intrusion,
Assign a Zone to Control Block it on any other port. Malware Policy
each Interface
Future Vision: Multiple Logical Devices
• Multiple ASA/FTD application containers on a single blade
• Each application instance represents a tenant
• CPU/memory resources are dedicated to an instance at provisioning
• Physical and logical VLAN separation at Supervisor
FTD Instance A FTD Instance B FTD Context C FTD Context D ASA Context A
4 CPU 2 CPU 12 CPU 4 CPU 12 CPU
Firepower 4100 or Firepower 9300 module
Ethernet1/1-3 Ethernet1/4-5 Port-Channel1.100-101 Port-Channel2 Port-Channel1.101-102
• Fully tenant management and domain separation in FMC
ACI Service Graph:
Redirection vs. Stitching
Service Graph – Policy Based Redirect (One-arm)
Subject A
Filters(ssh,ndmp)
web EPG Direct via Fabric app EPG
SVI
1
2
SVI BD1 (SVI1)
Subject B
Filters(http,ftp)
Inspected
PBR service graph uses subject filter to BD2 We can inspect traffic between two
‘redirect ‘traffic to device. Fabric SVI2 injects EPGs (app and web) residing in the
packets into device one-arm interface. Firewall Consumer/Provider
same BD1 (same subnet) or
side shadow EPG
uses a default route to return packets to fabric. Routed Firewall different BDs (different subnets).
Go-To Device
L4-L7 Device
Service Graph Stitching – Physical L4-L7 Device
web app
VLAN 100 VLAN 200
VLAN 304 VLAN 305
web EPG portgroup app EPG portgroup

BD1 BD2
Eth1/1.304 Physical device always receives

Eth1/2.305
consumer VLAN tagged packets
provider
Service Graph VLAN Service Graph VLAN
ACI Fabric ‘stitches’ EPG ‘Shadow EPG’ ‘Shadow EPG’
and Service Graph VLANs Rules of networking still
to ‘steer’ traffic to Device apply between EPGs and
L4-L7 Device the Firewall.
Service Graph Stitching – GoTo or GoThrough
web app
web EPG portgroup app EPG portgroup

BD1 BD2
GoTo GoThrough
When routed firewall is
L2-attached to EPGs, EP Transparent/IPS device, needs
routes must point to a firewall fabric to flood broadcasts
interface. Different subnet is through device. The same
defined in each EPG / BD. L4-L7 Device subnet spans two EPGs / BDs.
Service Graph Stitching – GoTo L3out (Routed)
web-prod
app
1
SVI
10.1.0.x/24
L3out
10.3.0.x/24 app EPG portgroup
web-test BD2
GoTo L3 attached GoTo L2 attached

Routed firewall L3 attached to
Firewall directly connected
EPGs, learning routes via
10.2.0.x/24 OSPF/BGP. EPs default route to EPG, app hosts default
points to Anycast gateway. route points to firewall.
BD1
L4-L7 Device
Service Graph - Virtual Device
Cisco Virtualized Advanced Security Toolkit
NGFWv NGIPSv ASAv
Firepower NGFWv 6.2 Firepower NGIPSv 6.2 FMCv 6.2 ASAv 9.9
Amazon Microsoft Amazon Unified Amazon Firewall Microsoft
NGFW NGIPS Web Services Azure
Web Services Azure Web Services
Manager
Microsoft
KVM VMware VMware VMware KVM KVM Hyper-V
VMware
FTD device package Unmanaged Mode FMC hybrid mode with ACI ASA device package
Resource Consumption by Platform(vCPUs,RAM):
NGFWv(4,8G) NGIPSv(4,4G) FMCv(4,8G) ASAv5(1,1G) ASAv10(1,2G) ASAv30(4,8G) ASAv50(8,16G)
Service Graph Stitching – Virtual L4-L7 Device
web app
Vlan 100 Vlan 200
Vlan 304 Vlan 305
web EPG port-group app EPG port-group
Even when EPs and device are vNIC2 vNIC3

on the same host, traffic is sent consumer provider
to hardware leaf to apply Service Graph Service Graph
port-group port-group
contract policy. Shadow EPG Shadow EPG APIC
Virtual L4-L7 Service Graph

APIC orchestrates creation
can use ‘access VLAN’ or
trunk mode vNICs where APIC of device port-groups and
L4-L7 Device
creates VLAN sub-interfaces. their attachment to device.
vCenter
Advanced Security in ACI
Evolution in ACI Customer Adoption
1 2 3
ACI L2 Fabric ACI No Package ACI by Design

• ACI used as classic DC • Turn on Benefits of ACI • Orchestrate FW Config
• EPG = VLAN/Subnet • Anycast GW & Routing • SecOps control Policy
• Manual Firewall Config • Manual Firewall Config

Policy Orchestration
Fabric Insertion
APIC in
Control
EPG-Attached Firewall Unmanaged Service Graphs Managed Service Graphs
EPG EPG EPG EPG EPG EPG EPG EPG EPG

Web App DB Web App DB Web App DB
Programmatic Approach with Security
Stand up defences at the same time as applications go

live using device package.
 Cisco Security Device Packages
Automate security policy updates with tighter integration

between security appliances and APIC.
 Dynamic EPG updates to Rules/ACLs
Prevent further infections with Rapid Threat

Containment (dynamic workload quarantine).
 Cisco Firepower Remediation Package for APIC
Cisco ACI and Security teams validate new solutions for

our customers.
 Firepower User-based policies for VDI in ACI
Demo ACI by Design:
L4-L7 Device Automation Workflow
Orchestrate it all for me!!!

Application Profile Before and After Orchestration
rebuild-mypod.bash
+ quarantine
contracts:
out-to-web (ASA)
web-to-app (ASA)
app-to-db (FTD)
LABSEC-3335 – DC Security Lab
ASA5525 Cluster ASA5525 Dynamic EPG
NGFWv (FTDv)
Routed L3FW Context PBR GoTo L3FW
Routed Mode
Dynamic Routing to vPC RoutedL3FW Context
GoTo Non-PBR
GoTo Non-PBR One-Arm Mode
External VRF
vrf40net
Internal VRF – pod40net
ASA Cluster ASA Failover FTDv

10.50.0.10 10.40.0.10
10.1.0.1 10.2.0.1
L3out2 L3out1 10.3.0.1
BD3 FMC
10.60.0.10 10.3.0.2 pbr-bd
L3out3
ASAv5 10.50.0.1 10.40.0.1
outside
10.70.0.1 10.60.0.1 SVI/Subnet 10.1.0.2/16
Outside host out-to-web contract Web host web-to-app App host app-to-db DB host
Contract Contract Contract
10.70.0.101 IP 10.1.0.101/16 IP 10.1.40.102/16 IP 10.2.0.103
Outside Network Web EPG App EPG DB EPG
BD1 (web) BD2 (db)
Firepower NGFWv HA in ACI
python
scripts api-client
Internal Tenant VRF
FTDv HA
Step 1 pair
Orchestrate FTDv
FMC
config to secure App
to DB communication
App host app-to-db DB host

Contract
App EPG DB EPG
ASA HA Context in ACI
python
scripts api-client
Internal Tenant VRF
ASA Context
Step 2 on HA pair
Orchestrate ASA
config to secure Web
to App communication
Web host web-to-app App host

Contract
Web EPG App EPG
ASA Cluster Context in ACI
python
scripts api-client
External VRF Internal Tenant VRF
Step 3 ASA Context

on a Cluster
Orchestrate ASA
config and OSPF
peers to secure
campus to Web
communication
Outside host out-to-web Web host

Contract
Campus Network Web EPG
Deployment:
Cisco Device Packages
Orchestrate Cisco ASA and FTD in ACI Fabric
React to detected threats

in an automated fashion
FMC Remediation
Module for ACI
ASAv NGFWv
Firepower
FPR9300 ASA5585-X (EoS) ASAv50 Virtual FTD Management
FPR9300, FPR4100,
FPR4100/2100 ASA5500-X ASAv30 FPR2100 Console
Run ASA app Divert to SFR ASAv10 Run FTD app (FMC)
ASA Device Package FTD Device Package

Cisco ASA and FTD Device Packages for ACI
ASA with FirePOWER Services Cisco NGFW (FTD image)
ASA Embedded FirePOWER Config added manually Access & Threat Policies
Services - Threat Polices via FMC, outside of URL filter, NGIPS, AMP, etc.
APIC control/visibility
Security team configures via FMC Security team configures via FMC
Adding Security Zone to pre-

ACLs, Inspections, HA,
defined rules under Access &
Special Features
Threat Policies
APIC Added/Validated Interfaces, IP Addresses,
Interfaces, VLANs, IPs, Static Config
or Dynamic Routes VLANs, Inline IPS pairs,
Security Zones
APIC Configures on ASA APIC configures via FMC
via ASA Device Package Via FTD Device Package
Nexus9k Leafs/Spines - Shadow EPG VLANs, L3outs
APIC Configures Tenant Networking and Service Graph Parameters in the ACI Fabric
ASA Device Package
ASA Device Package – Two Options: PO and FI
Managed – Service Policy Managed – Service Policy
FirePOWER Services FirePOWER Services

Threat Defence Polices ASA has an option Threat Defence Polices
Threat Policy on FMC
that allows APIC Security team configures via FMC
to configure
ACLs, Inspections, HA, and
insertion into all other ASA features
ACLs, Inspections, HA, S2S
VPN, Special Features
fabric while all
Security team adds more ASA cfg.
other ASA
Interfaces, VLANs, IPs, Static features are Interfaces, VLANs, IPs, Static
or Dynamic Routes configured out of or Dynamic Routes
APIC Configures on ASA band (CLI, REST- APIC Configures on ASA
via ASA Device Package API, CSM, CDO) via ASA Device Package
ASA Policy Orchestration (PO) DP ASA Fabric Insertion (FI) DP
Nexus9k Leafs/Spines - Shadow EPG VLANs, L3outs
APIC Configures Service Graph in the ACI Fabric
Reference
ASA Device Package Download on Cisco.com
ASA DP Built-In Profiles
Template for Routed ASA

Requires Entry of IP Addresses
HA needs Standby IP Entry
Template for Transparent ASA

Requires Entry of BVI IP Address
HA needs Standby IP Entry
ASA PO Function Profile – I.e., PBR One-Arm
Managed
ASA Cluster in a Service Graph – ACI vPC

Campus Network Contracts
out-to-web & web-to-app
Use Device Package
Web
l3out
vPC App
Resiliency with
10/40/100G Ports, Six SM-44 blades in
Context-1 Context-2
FPR9300 Security North/South East/West
ASA cluster
ASA Cluster
Modules (SM), chassis, 250Gbps TCP 450B
and ACI Leafs. Add Radware DDoS
Firepower 9300s Running ASA App
Managed
APIC 2.0+
PBR Service Graph to a Single Interface L3FW ASA
ASA(v)
10.3.0.1
Default or Static Route to SVI
Custom MAC 5585.4100.9300
Fabric directs traffic in and PBR Service Graph
out of the same interface, redirects traffic between
using managed ASA. Must two EPGs within the same
enable this ASA feature: Bridge Domain (subnet).
same-security intra-interface Select type of traffic to
N9k SVIs
We can script a custom MAC One-arm redirect, verses what
BD_pbr
on ASA(v) and set that MAC Graph protocols not to redirect.
10.3.0.2
on the PBR redirect.
http
EPG APP EPG DB
Rock ssh (file copy) BD1
Star
Protected
Servers
DHCP: 10.1.0.100 – 10.1.0.140
FTD Device Package
Security team configures via FMC
FTD FI Device Package for ACI

Managed Service Graph
Hybrid – Service Manager Model
App DB
Firepower NGFW HA pair APIC Imports

(FTD 6.2 image) FTD Device Package
Registered to FMC To Program FMC/FTD
GUI API API / GUI

SECURITY FMC 6.2 NETWORK
Security Admin Network Admin

Pre-defines a security policy rule in FMC for use in the ACI fabric: Uses APIC to attach FTD to ACI fabric and EPG traffic to a policy by:
 Defines initial criteria for allowed Protocols and can update later  Creating Interfaces and matching VLANs for traffic to arrive to FTD
 Attaches appropriate threat policies (Malware, NGIPS)  Defining mode of operation: Routed, Transparent FW, NGIPS
 Adds URL Filtering, Geo-location, Threat Grid sandboxing, etc.  Creating Security Zones and attaching to pre-defined security policy
 Access Control Policy Rule is dedicated per service graph  FTD device package programs Fabric Insertion features from APIC
Reference
FTD 1.0.2 FI Device Package Posted
FTD DP Built-In Profiles
Template for Inline NGIPS

Requires no Field Entry
FMC object names include
a unique suffix
Template for Routed NGFW

Requires Entry of IP Addresses
Template for Transparent NGFW

Requires Entry of BVI IP Address
FMC Pre-Defined (Existing) Rule SECURITY
APIC Attaches Traffic to FMC ACP & Rules
ftd-policy
ftd-rule1
ftd-rule2
Note: New rules need Zone and bi-dir values configured
FTD Routed Device Info Created from APIC
Interface Names: appnic / dbnic

Security Zones: app-zone / db-zone
Interface IPs: 10.1.0.1/24 / 10.2.0.2/24
FTD Transparent Device
Interface Names:
webnic / appnic
Security Zones:
web-zone / app-zone
BVI ID and IP:
BVI5 / 10.1.0.104/24
FTD IPS Inline
Interface Names:
webnic / appnic
Security Zones:
web-zone / app-zone
Inline Set Name:
web-app-ips
Matching FTD/ACI Deployment Modes
• Firewall Modes GoTo

Service Graph
• Routed
• Transparent
GoThrough
Service Graph
• NGIPS/IDS Modes
• Inline (managed)
Copy
• or Inline TAP (unmanaged)
Service
• Passive (unmanaged) Graph
APIC VMware VLAN Trunk Port Group
Assign Port Group:

• Name
• VLAN range
Assign Trunk Port Group to FTDv vNICs
FTDv Go-To Service Graph – vNIC Pairs
app db
Vlan 100 Vlan 200
10.1.0.102 Vlan 304 Vlan 305

10.2.0.103
GW: 10.1.0.1 GW: 10.2.0.1
BD: app BD: db
vNIC2 vNIC3
10.1.0.1 10.2.0.1
consumer provider
SG portgroup SG portgroup
FTDv
NGFWv
FTDv Routed Interfaces vCenter
FTDv Go-Through Service Graph – vNIC Pairs
web app
Vlan 100 Vlan 200
10.1.0.101 Vlan 304 Vlan 305

10.1.0.102
BD: web BD: app
vNIC2 vNIC3
consumer provider
SG portgroup SG portgroup
BVI10
10.1.0.100
FTDv
NGFWv
FTDv Switched Interfaces vCenter

(IRB in Routed and BVI in Transparent Mode)
FTD NGIPS Service Graph with HA or Bypass
web app
Node-101 Node-102
vlan401 vlan216
1/46
1/5 1/5 1/45
vlan1001 vlan1001
BD: web eth1/1 eth1/2 BD: app
Shadow EPG Shadow EPG

If you use FTDv, IPS interfaces Consumer-side Provider-side Flooding should be enabled on BDs, while loop
attach to ‘access VLAN’ or detection, LLDP, and CDP must be disabled.
trunk mode vNICs. Access VLAN Use static VLAN pool, enable Port-local scope
port-groups allow VDS to abstract in L2 Interface Policy
FPR2100 / 4100 / 9300 FTD App
VLAN tags and not share the tag. FTD Device Package
Inline IPS Port Pairs
FTD Device Package Features Coming Soon
• FMC REST-APIs in upcoming releases will allow these additions to the device package:
• Static Routing*
• Port-channels*
• FTD Clustering*
* Planned in the next release, to support upcoming FMC 6.2(3). Join beta!
Security Beta Programs
• Security Beta Products Customer Benefits
• Free test hardware

Firepower Firepower
ASA
NGFW/NGIPS Platforms • Early experience with and training on new
features and functionality
AMP for
ISR ESA
Endpoints
• Demos and feedback sessions on product
Stealthwatch usability, design, and roadmaps
ISE OpenDNS Learning
Networks • Risk-free testing in the customer environment
prior to FCS
To participate in Beta: • Beta customer S1-3 issues fixed in GA release
http://cs.co/security-beta-nomination
or email
ask-sbg-beta@cisco.com “I've been involved in many beta programs … I
must say that this one has been the best organised.
This beta has taken a very active, hands-on
approach.” - Liberal Arts College Customer
Dynamic Policy from ACI
Attachment Notification on Service Graph Terminals
P2-ASA5525-1/pod37# show object-group
object-group network __$EPG$_pod37-wan-out-out-l3out3
network-object 10.70.0.0 255.255.255.0
object-group network __$EPG$_pod37-aprof-app

network-object host 10.1.37.102
object-group network __$EPG$_pod37-aprof-web
10.70.0.1 SVI/Subnet 10.1.0.2/24
Outside host out-to-web contract Web host App host

Source: 10.70.0.101
10.70.0.101 IP 10.1.0.101/16 IP 10.1.37.102/16
Destination: 10.1.0.101
Outside Network Web EPG App EPG
BD1 (web)
ASA Device Package
Dynamic Update to EPG Object-Group

APIC dynamically detects new endpoint,
ASA subscribes to attach/detach event,
and ASA device package automatically
2: APIC create object-group for the EPG. adds EPs to object-group
3: APIC add new endpoints to object-group

(192.168.10.101, 192.168.102)
object-group network __$EPG$_pod37-aprof-app
access-list access-list-inbound extended permit tcp any object-group __$EPG$_pod37-aprof-app eq www

New New
1: Enable “Attachment Notification”
on function connector internal.
192.168.10.101 192.168.10.102
web 192.168.20.200 192.168.10.200 app

Consumer Provider
ACE Object-group
ASA Device Package
EPG Segmentation with Dynamic Update

BD1 10.2.1.0/24
EPG
DB
Builds up ACEs on ASA
ASA Shared BD2Service graph allows APIC to insert new EPs:
APIC knows active endpoints in Red
object-group network __$EPG$_pod10-aprof-web
EPGs, and programs objects and
network-object host 10.1.0.2 ACLs in ASA. Newly attached VM IPs
are updated, auto-magically permitting
access-list acl1 extended permit tcp
object-group __$EPG$__pod10-aprof-web 10.2.1.0 their access to BD1 DB EPG.
255.255.255.0 eq sqlnet
Deny Deny Deny Deny
EPG
IP1
EPG
IP2
EPG
IP3
Flat BD2 Subnet 10.1.0.0/16 - DHCP EPG
IP10
EPG
IP11
EPG
IP12
FTD Device Package
After enabling ‘Attachment Notification’

Dynamic EPG on FMC APIC creates and maintains Network
Group object in APIC. You can then use
that object in the ACP rule to impose
further controls.
Combine with Dynamic Policy
From Campus
ASA Device Package
Dynamic Policy - TrustSec on ASA to ACI Policy Contract
ACI Fabric Corp →App: Allow, Redirect to ASA

All Other : Drop
Coarse filtering: ACI Policy Contract

3 allows all traffic from campus to DC
application, redirects to ASA
Marketing SXP
Engineering App EPG
Corp EPG ASA learns group mappings

2 through SXP protocol 4 Fine filtering: ASA permits only
1 Engineering to access application
Source Destination Action
from campus based on group
Campus users in Corp EPG Engineering
get tagged to groups by ISE Any Allow
[SGT 333]
ISE Any Any Deny
ASA Device Package
ASA Dynamic Policy for Campus and NGDC

Source Destination Action
ACI Fabric Data Centre
Engineering object-group
Allow
[SGT 333] EPG_Engr
Marketing object-group
Allow
[SGT 555] EPG_Mktg Mktg App EPG
Any Any Deny
Marketing SXP
Engineering Engr App EPG
Campus
ASA learns DC EPG groups and

Rock
Star ASA learns campus SGT IP mappings via Service Graph
mappings through SXP protocol. Attachment Notification. Object-
ISE SGTs are used in ASA policy groups are used in ASA policy.
Rapid Threat Containment
FMC to APIC Rapid Threat Containment
Step 4: APIC quickly contains/quarantines Step 3: Attack event is configured to trigger
the infected App1 workload into an isolated remediation module for APIC that uses NB API to
uSeg EPG contain the infected host in ACI fabric
4 3
ACI Fabric
FMC
App EPG DB EPG
1 2
App2 Infected App1
Step 1: Infected End Point launches an attack

Step 2: Intrusion event is generated and sent to
that NGFW(v), FirePOWER Services in ASA,
FMC revealing information about the infected host
or FirePOWER(v) appliance blocks inline
Reference
APIC/Firepower Remediation Module at Cisco.com
Better Together:
Cisco ACI and Security
VDI and Multi-DC

FTD Identity Policy in ACI – Campus to NGDC VDI
VDI Farm - one big flat subnet but
Contract
Campus Network VMs isolated, blocking lateral
campus-to-vdi
service-graph to FTD
VDI
EPG
OSPF FTD is VDI GW and

Red and Blue badge
Users Initiate Advertises the
VDI session subnet to OSPF
OSPF
to
L3out vPC4
The Highlights
 Program ACI Fabric w/ Intra-EPG Isolation
 Enable FTD User-identity Based policy consumer provider
 FW/AVC/NGIPS/AMP with HA and Scale Active Directory
 FP4100/FP9300 Inter-chassis Clustering FMC in Server EPG
for Scale with 6.2 code
 Unmanaged Service Graph + L3out Firepower 4100 / 9300
 OSPF peering FTD to ACI Fabric
 Scaling to 50k+ AD Users FTD Image
SF / TS Agent
Cisco ACI Recommend two sessions to watch:
Fabric and Policy Domain Evolution BRKACI-2016 – ACI Layer 4-7 Integration
BRKACI-3502 – ACI Multisite Deployment
ACI Single Pod Fabric ACI Stretched Fabric ACI Multi-Pod Fabric ACI Multisite
IPN IP
Pod ‘A’ Pod ‘n’ Fabric ‘A’ Fabric ‘n’
DC1 APIC Cluster DC2 MP-BGP - EVPN MP-BGP - EVPN
… …
APIC Cluster
ACI 1.1 ACI 2.0 - Multiple ACI 3.0 - Multiple Availability Zones …more to
ACI 1.0 Leaf/Spine come!
Geographically Networks (Pods) in a (Fabrics) in a Single Region ’and’
Single Pod Fabric
Stretch a single single Availability Zone Multi-Region Policy Management
fabric (Fabric)
Firewall Integration
EPG-attached EPG-attached, Service-Graph EPG-attached, Service-Graph EPG-attached, No Service Graph

Service-Graph Caveats around vPC across sites Use HA across Pods & per Pod Support HA across Sites
Troubles Today with ASA / FTD Cluster & Multi-Pod
Extended BD Between all PODs
Inter-Pod Network
Pod ‘A’ Pod ‘n’
ASA or FTD Cluster

Routed Mode Routed Mode
1 Cluster Master 2 Cluster Slave
Active Active
Absent of MAC filtering in

EPs ARP for Gateway and The solution: ACI Multi-Pod
ACI, all Firewalls in Cluster
all Firewalls in Cluster needs ‘anycast service’ that
respond to ARP request,
receive ARP request, as BD enables ASA or FTD
causing MAC flapping on the
is extended across all Pods. clustering with Multi-Pod.
service leaf.
TECSEC-2273 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Future
ASA or FTD Active/Active Cluster in L3 PBR Mode

 PBR policy for Active/Active firewall cluster in ACI Multi-Pod (Future)
 All the active FW nodes have the same IP/MAC identity, so reachable local instance
will be chosen (based on IS-IS metric toward the IP address)
 More elegant integration due to local and remote firewall backups with full state tracking
 All cluster nodes local to a Pod, must connect to the same vPC pair of leafs
IPN
PBR Policy
Applied Here
APIC Cluster PBR Policy
Applied Here
L3Out-1 L3Out-2
WAN WAN
Routed Mode Routed Mode

Cluster Master WAN Cluster Slave
Active Active
Now, what if I am not ready to give
up control of my ASA or FTD?
Network Centric ACI (Fabric as L2):

Security is EPG-Attached
Flexible Options in Customer Adoption
1 2 3


Fabric Insertion
APIC in
Control

1
Why Use L2 Fabric and No Service Graphs
• Design calls for a large number of service graphs and contracts (scalability of
ACI fabric must be considered)
• Fastest migration of security services and policies into ACI fabric
(VLANs to EPGs, Subnets and Security appliances enforce policy)
• Use the security product in the same fashion as you do in traditional networks
• Relieves Services of the controller validation and monitoring
• Less complexity compared to service graph but also no PBR redirect benefits
• You can use cut-in Firewall designs, ensuring all traffic to/from DC is secured
(Note: ACI fabric attaches independently to campus L3out and firewall when
service graphs are configured)
1 ACI Fabric is L2
Network Centric ACI
Service attaches to EPG EPG

Firewalls managed VLANs/PGs and serves as Out
separately from APIC a host gateway to steer
by security team. traffic between VLANs.
SECURITY
EPG-Attached Firewall EPG-Attached Firewall
EPG EPG EPG EPG EPG EPG

Web App DB Web App DB
Have flexibility for APIC to manage EPGs, and attach security directly into EPGs.
Endpoint Group (EPG) Contract Service Chain Programmability
No Service Graph
Firepower Cluster at Perimeter to ACI Fabric

Classic ‘Cut-in’ design for N/S and E/W EPG protection
Campus Network ACI Data Centre
vPC Master vPC
Slave
Firepower 4100/9300 Clustering

Web EPG App EPG
FTD or ASA Image
Firepower ACI Firepower VLAN sub-interfaces
and ISE
can connect to ACI Web and App
Remediation
Packages are EPG segments, serving as
Applicable gateways for E/W inspection.
Can I still use orchestration with out
APIC?
Yes, here are some pointers on how

to manually use device packages.
Orchestrate Manually ACI FTD Device Package
Device Specification
"dn": "uni/tn-%s/lDevVip-
%s/vFTD-l3fw" %
(tenant_name,l47_dev_name),
"name": "FTD-HA1",
"host": fmc_ip,
"virtual": virtual,
…
Device Configuration
(0, '', 4548): {
'dn': "uni/vDev-[uni/tn-pod3/lDevVip-vFTD-l3fw]-tn-[uni/tn-pod3]-ctx-pod3net",
'transaction': 0, FTD FMC
'ackedstate': 0, (FTD Manager)
'value': {
(4, 'SecurityZone', zone1): { device package
'state': 2,
'transaction': 0,
Device Interface: REST/CLI
Device JSON Configuration FTD FI Device Package can still help! You
is recorded in the APIC debug.log under can automate FTD fabric insertion
/data/devicescript/CISCO.FTD_FI.1.0/logs/ configuration with out using APIC
Reference
What We Need To Do Before We Start
1) Scripting Host that you can use to program FMC (I suggest Linux)
2) Install Python interpreter, 2.7.3 or later
3) Download FTD 1.0.2 Device Package for ACI from Cisco.com
(see the previous slide for location of the package)
4) Download Github config and unconfig python scripts
https://github.com/cisco-security/FMC-REST-API-scripts
5) Create manual-devpkg directory (choose the name as appropriate)
Reference
Unzip FTD Device Package in a New Directory

(In manual-devpkg directory, unzip FTD DevPkg and see created ftd-fi directory)
user@api-client:~/manual-devpkg/ftd-fi$ ls -l
total 220
-r--r--r-- 1 user user 34355 2017-12-07 15:32 device_script.py Python procedured writted by security BU
to provision given FTD configuration
-r--r--r-- 1 user user 25110 2017-12-07 15:34 device_script.pyc
-r--r--r-- 1 user user 28600 2017-11-11 22:29 device_specification.xml Device spec defines the model
Of our FTD device package
drwxrwxr-x 4 user user 4096 2017-12-07 15:34 devpkg
drwxrwxr-x 2 user user 4096 2017-12-07 15:34 fmc
drwxrwxr-x 2 user user 4096 2017-12-07 15:34 ftd
-rw-r--r-- 1 user user 108064 2017-11-29 13:58 ftd-fi-device-pkg-1.0.2.14.zip
drwxrwxr-x 2 user user 4096 2017-12-07 15:33 images
Reference
Prepare FMC and FTD for Orchestration

• Setup FMC with necessary licenses (use demo with evaluation mode)
• Ensure connectivity between FMC and FTD
• You can register FTD(s) via FMC GUI, or you can use a script
(See script ftd-reg.pl: https://github.com/cisco-security/FMC-REST-API-scripts)
• FTD HA must be pre-configured manually via FMC
• Pre-configure FMC Policy and Rule(s) you want FTD interfaces to use
• Create a separate admin account for API communication (i.e. apiuser)
FTDv Routed EPG-attached Firewall Integration
NGFWv (FTDv)
Routed Mode
EPG-attached vNICs
Internal VRF – pod(pod#)net
python
FTDv scripts api-client
10.1.0.1 10.2.0.1 FMC
Service Manager
SVI/Subnet 10.1.0.2/24
Network Adapter 5 & 6 are
already statically assigned
to App and DB EPGs
Web host App host app-to-db DB host FTDv needs to use g0/3 as
IP 10.1.0.101/16
Src: 10.1.0.102 app EPG end-point and
IP 10.1.pod#.102/16 Dst: 10.2.0.103 IP 10.2.0.103 g0/4 as db EPG end-point
Web EPG App EPG DB EPG
BD1 (web) BD2 (db)
Is there a way to use service graph
but keep control of my ASA & FTD?
Network Policy Mode:

Unmanaged Service Graph
Flexible Options in Customer Adoption
1 2 3


Fabric Insertion
APIC in
Control

2
Why Use Unmanaged Service Graph
• Gain benefits of selective protocol redirection with PBR Service Graph

• SecOps management workflows and tools remain intact
• Security products do not require a device package from a Vendor
• Quicker migration of security services and policies into ACI fabric
• Allow use of the full spectrum of product features, not just the features
supported by the device package
• Relieves Services of the APIC config validation and monitoring
….but you can not use dynamic update feature.
2 No Device Package
Services Independent of APIC but App Centric

Firewalls still Physical appliance Virtual appliance data
managed separately attaches to the given plane vNICs get
from APIC by the fabric ports and must attached to proper
SECURITY security team. match VLANs. PGs via APIC.
Unmanaged Service Graphs Unmanaged Service Graphs
EPG EPG EPG EPG EPG EPG

Web App DB Web App DB
Customers enable full ACI fabric benefits with out forcing a device package.
Endpoint Group (EPG): Contract: Service Chain: Programmability:
Creation of EPG segments still Is between EPGs and Adds L4-L7 Devices and Northbound API to script
done on APIC, EPs are virtual adds unmanaged Service includes PBR redirect full Tenant network and
machines or physical servers. Graphs (no device pkg). service graph. © 2018 Cisco and/or its affiliates.unmanaged SG creation.
All rights reserved. Cisco Public
Matching ASA and FTD to ACI Deployment Modes
FTD Modes of Operation ACI Service Graph Modes
ASA Modes of Operation
GoTo
• Firewall Modes Service Graph • Firewall Modes
• Routed Routed
• Transparent
Transparent
GoThrough
Service Graph
• NGIPS/IDS Modes
• Inline or Inline TAP
• Passive
Copy
Service Graph
ASA or FTD applications can be added to ACI fabric in an Unmanaged Service Graph mode. You must carefully
design their service graphs and match the mode of operation with ACI fabric workloads.
Unmanaged
FTD Cluster Service Graph – vPC

NGFW protections at the N/S perimeter of the ACI Fabric, plus add E/W
Campus Network
Contract out-to-web Web
service-graph FTD1
Vlan 100 Vlan 200
Vlan 404 Vlan 405
vPC4
Firepower ACI
Remediation Po1.404 Po1.405
Package is
Applicable FMC consumer provider APIC
FMC manages FTD cluster and config. APIC Go-To Unmanaged Service Graph:
Benefit from scale and state-sharing: Master Slave where FTD is in Routed FW Mode (N/S).
Redundant links (max 16) and Firepower 4100/9300 Clustering Add Go-Through Transparent FW BVIs
appliances (max 6 in FTD cluster) Firepower Threat Defence and inline NGIPS-only ports for E/W
Use BGP or OSPF with ACI L3outs protection inside the fabric.
(FTD) Image
Unmanaged
GoThrough NGIPS Service Graph with IPS

Reuse the same Inline IPS pair Tenant1
of PC1 and PC2 for multiple This design also works well
Tenant2
tenants. Identify tenant traffic by in EPG-attach mode.
using unique VLAN tag. Tenant3
web app
vlan-500 vlan-501
vlan-310 PC1 PC2 vlan-310

vlan-311 vlan-311
BD: web BD: app
vlan-312 vlan-312
IP: 10.1.0.101 IP: 10.1.0.102
Shadow EPG Shadow EPG
Consumer-side Provider-side
Rock
Star Previously mentioned settings for IPS service
graph still apply for unmanaged mode. Same
FPR4100/9300 FTD App design applies to EPG-attached mode.
IPS Inline Port-Channel Pairing
Unmanaged
APIC 2.0+
FTD One-Arm PBR Service Graph - GoTo
FTD App
10.3.0.1
Default or Static Route to SVI
Fabric directs traffic in and Custom MAC 0f2d.4100.9300
PBR Service Graph redirects
out of the same interface,
traffic between two EPGs in
using unmanaged FTD app.
the same Bridge Domain
Must use one Security Zone to
(subnet). Select type of traffic
define the ACP rule. Virtual N9k SVIs to redirect, verses what
appliance can also be used. BD_pbr One-arm
protocols to send via fabric.
10.3.0.2 Graph
http
EPG APP EPG DB
Rock ssh (file copy) BD1
Star
Protected
Servers
DHCP: 10.1.0.100 – 10.1.0.140
Contract app-to-db: FTDv Unmanaged Graph
NGFWv (FTDv)
Routed Mode
GoTo Non-PBR
Internal VRF – pod(pod#)net
python
FTDv scripts api-client
10.1.0.1 10.2.0.1 FMC
Service Manager
SVI/Subnet 10.1.0.2/24 Hybrid Model
APIC will create service
graph port-groups and
assign them to:
Network Adapter 3 & 4
Web host App host app-to-db DB host
IP 10.1.0.101/16
Src: 10.1.0.102 FTDv needs to use g0/1 as
IP 10.1.pod#.102/16 Dst: 10.2.0.103 IP 10.2.0.103 consumer and g0/2 as
Web EPG App EPG DB EPG provider interfaces for the
BD1 (web) BD2 (db) service graph
Now, what if I am not sure what Apps
live in my Data Centre and cloud?! How
can Cisco help me build my fabric policy
and ensure compliance?
Cisco Tetration
Cisco Tetration Platform and ACI
• Establish your Data Centre application dependency mappings
• Detect which apps are talking, group them into EPGs and create Contracts with
appropriate filters
• Using JSON, APIC can 1-click import EPGs and white-list policy for your ACI
Data Centre
• Use ACI App to convert Tetration policy recommendation in ACI configuration
• L4-L7 services currently not included in App, so build those in manually for now
• Github scripts showcase how to import Tetration policy into Cisco Security appliances
• Continue to monitor your applications and show compliance to established

policy (traffic permitted, misdropped, escaped, and rejected)
• Merged Real Time Inventory with Historical Trends for compliance purposes
Whitelist Policy Recommendation
Application Discovery Whitelist Policy Recommendation
(Available in JSON, XML, and YAML)
{
"src_name": "App",
"dst_name": "Web",
"whitelist": [
{"port": [ 0, 0
],"proto": 1,"action":
"ALLOW"},
{"port": [ 80, 80
"ALLOW"},
{"port": [ 443, 443
"ALLOW"}
]
}
Cisco Tetration Data Sources – Application Maps
Software sensors • Software agent collects Network sensors

Available today
telemetry and process Next-generation Cisco Nexus® Series Switches
information with low CPU and
network overhead. It can
Linux servers
enforce segmentation and policy
Cisco Nexus 9300 EX
(virtual machine and bare metal) enforcement by controlling host
Windows servers
firewall (i.e. IP tables).
(virtual machines and bare metal)
• Hardware sensor collects
Windows Desktop VM telemetry but also key traffic
(virtual desktop infrastructure only) Cisco Nexus 9300 FX
indicators (I.e., Route
forwarding or Buffer drops)
For detailed coverage of Tetration, please refer to recording of BRKACI-2604 at CL18 Melbourne.
Where can I go for info, if I really,
really, really want to find more
information about this topic?
Refer to my previous Breakouts on this topic.
See Cisco Live EMER Berlin recording of the BRKACI-3004 recording and pdf:
https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=94370
• Shows how to integrate ASA multiple contexts with APIC
• Details how to pre-configure ASA clustering and multiple contexts
• Reviews migration of typical security designs into ACI
• Show best practices of ASA cluster data plane and CCL in ACI
• Details ASA failover setup and best practices with Failover link and data plane
Additional Resources
List of ACI White Papers - https://www.cisco.com/c/en/us/solutions/data-center-
virtualization/application-centric-infrastructure/white-paper-listing.html
Service Graph design - https://www.cisco.com/c/en/us/solutions/collateral/data-center-
virtualization/application-centric-infrastructure/white-paper-c11-734298.html
ASAv PBR Service Graph - https://www.cisco.com/c/en/us/solutions/collateral/enterprise-
networks/secure-data-center-solution/guide-c07-739765.html
PBR Service Graph Designs - https://www.cisco.com/c/en/us/solutions/data-center-
virtualization/application-centric-infrastructure/white-paper-c11-739971.html
Cisco Advanced Security in ACI Playlist
https://www.youtube.com/playlist?list=PLvnemMVdgW1s77HuPk04VWwP47Y8EvlQl
GitHub python scripting for automation of ASA and FTD service graph with ACI
https://github.com/cisco-security
Conclusion
Benefits of Programming with Cisco Security
Stand up defences at the same time as applications

APIC Security Device Packages.
 Cisco Security Device Packages
Automate security policy updates with tighter integration

between security appliances and APIC.
 Dynamic EPG updates to Rules/ACLs
Embrace a dynamic workload quarantine with

programmable policy enforcement.
 Cisco FMC Remediation Package for APIC
Cisco ACI, Tetration, and Security teams together

create better solutions for our customers
 VDI and Multi-DC Use Cases
Conclusion
• Programmatic approach brings great benefits to your security function in the

Data Centre.
• Cisco advanced security combined with ACI, offers a mature next gen Data
Centre solution with multi-tenancy, open systems programmability, and full set of
protections under one support package.
• Cisco security device packages continue to evolve by adding new features to
program, simplify our policies, and enable new use cases.
Complete Your Online
Session Evaluation
• Give us your feedback and
receive a Cisco Live 2018 Cap
by completing the overall event
evaluation and 5 session
evaluations.
• All evaluations can be completed
via the Cisco Live Mobile App.
Don’t forget: Cisco Live sessions will be
available for viewing on demand after the
event at www.CiscoLive.com/Global.
Q&A
Continue Your Education
• Demos on the Cisco stand
• Walk-in Self-Paced Labs
• Meet the Expert 1:1 meetings
• Related sessions
Thank you
Additional Information
Reference
Cisco Security Device Insertion into ACI

APIC Managed Service Graph APIC Unmanaged Service Graph
Firepower NGFW (FTD) 1.0.2 Run Any ASA or Fire(power)
ASA 1.2.8 Device Package
Device Manager Package Platform, Code, and Features
GoTo (L3FW), GoThrough (L2FW) GoTo (L3FW), APIC orchestrates the service graph on
ACL, DPI, Netflow, Syslogs, TrustSec GoThrough (L2FW and Inline NGIPS) Nexus leaf switches
L3out Dynamic Routing (BGP/OSPF) APIC orchestrates Data Plane
NAT4/6, Dynamic Update EPG ACL Interfaces, creates Security Zones, and Security devices ASA, FirePOWER, or
Global Service-Policy attaches to pre-defined FMC Policy Firepower NGFW (FTD) are managed
Active / Standby Failover FMC controls policy on FTD app, using CLI, REST-API, or purpose-built
Divert to embedded Firepower including AMP, URL filter, Sandbox, etc. management tools (ASDM, CSM,
FMC), and we now match settings on
ASA app FTD app
unmanaged service graph (plug into
configured ports, and match interface
static/dynamic VLANs)
ASAv NGFWv
Partial orchestration: APIC controls

networking and policy on fabric leaf
switches but not L4-L7 devices
Reference
Cisco Security Devices in ACI Fabric

Device Package L4-7 Insertion
Cisco L4-7 Device Supported Platforms HA Mode
Device Version Mode
FTD DP 1.0.2 released!!!
FTD on physical FPR9300, FPR4100, Go-To
FTD_FI DP 1.0.2 HA (L3FW, L2FW, IPS) or
appliance FPR2100, ASA5500-X (Routed, no L3out),
FMC/FTD 6.2.2 Fail-to-Wire (IPS only)
Go-Through
APIC 2.2.2e
FTDv virtual Vmware, KVM (L2FW, inline IPS) FTD DP 1.0.2 released
FPR9300, FPR4100, DP 1.2.8

Go-To (Routed, ASA Active/Standby Failover,
ASA physical appliance ASA5585-X, 8.4+
L3out supported) ASA Clustering (Active/Active)
ASA5500-X 9.6+ (ASA app)
ASAv5, v10, v30 DP 1.2.7 Go-Through (L2FW) ASAv Active/Standby Failover
ASAv virtual
VMware, Hyper-V 9.4+(SMART) KVM SR-IOV use as Phys.Dom
FP71x0, FP71x5,
Go-To (Routed)
FirePOWER physical PBR works with Routed
FP70x0, FP8100, Unmanaged Go-Through
appliance Fail-to-Wire for IPS
FP8300 (inline IPS)
DP not in plans
Go-Through
FirePOWER NGIPSv VMware N/A
(inline IPS)
LABSEC-3335 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 125

Brksec 3004

Uploaded by

Copyright:

Available Formats

You might also like

Brksec 3004

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brksec 3004

Uploaded by

Copyright:

Available Formats

Deep Dive on Cisco

Goran Saradzic – Security TME Manager

Netview AIX PIX ASA ACI Hypervisor Cloud FTD

Perl Bash Expect Tcl Python PowerCLI APIs

• Deep Dive – Cisco Advanced Security in ACI

• Security attached to EPG or in Unmanaged Graph

Rapidly developed Trying to keep up in… Deploy quickly with Apps

Applications Infrastructure Protections

How do we get there:

Visibility Segmentation Threat protection

Virtual or Physical Workloads Virtual or Physical L4-L7 Devices

Leaf Nexus9000 Switches – Distributed Anycast GW

Spine Nexus9000 Switches – MP BGP Control Plane

• Service automation requires a vendor <validator=“ip”

• Cisco® APIC interfaces with the device

the device using its REST or CLI Device specification

interface over a security connection Device Manager

Route to Router OSPF

VLAN 10 Firewall VLAN 20 VLAN 30 IPS VLAN 30

NGFW combines Traditional FW and NGIPS Functions

Two Management Consoles One Management Console

Firewall URL Visibility Threats

Summer of 2013 Spring of 2016

FTD App: IPS Mode ASA + FirePOWER services

Firepower 2100 FTW in the works FirePOWER7000

Removable Network Modules (Fail-to-Wire): Bypass-capable built-in ports (Fail-Open):

Security Appliance REST-APIs, Contexts,

API info and consoles: https://<FMC IP>/api/api-explorer and https://<ASA IP Address>/doc

 Strict TCP State Inspection

 Dynamic Policy Groups to control access Context-1 Context-2

P1-ASA5525-1/master/asa1/pod15(config-network-object)# show run object

object network __$EPG$_pod40-aprof-payroll Access Control List (ACL) governs traffic

P1-ASA5525-1/master/asa1/pod15(config)# show run access-group

 Firepower Management Centre

Ethernet1/1-3 Ethernet1/4-5 Port-Channel1.100-101 Port-Channel2 Port-Channel1.101-102

• Fully tenant management and domain separation in FMC

VLAN 100 VLAN 200

VLAN 304 VLAN 305

web EPG portgroup app EPG portgroup

Eth1/1.304 Physical device always receives

web EPG portgroup app EPG portgroup

GoTo L3 attached GoTo L2 attached

NGFWv NGIPSv ASAv

Vlan 100 Vlan 200

Vlan 304 Vlan 305

web EPG port-group app EPG port-group

Even when EPs and device are vNIC2 vNIC3

Virtual L4-L7 Service Graph

ACI L2 Fabric ACI No Package ACI by Design

• EPG = VLAN/Subnet • Anycast GW & Routing • SecOps control Policy

• Manual Firewall Config • Manual Firewall Config

EPG-Attached Firewall Unmanaged Service Graphs Managed Service Graphs

EPG EPG EPG EPG EPG EPG EPG EPG EPG

Stand up defences at the same time as applications go

Automate security policy updates with tighter integration

Prevent further infections with Rapid Threat

Cisco ACI and Security teams validate new solutions for

Orchestrate it all for me!!!