Micro Segmentation and Cisco ACI – From Theory to Practice Part II

– June 27, 2016 – 0 Comments

This is the second of a series of blogs where we will illustrate how to leverage Cisco ACI to implement Micro Segmentation. In the first blog we described how to use ACI micro segmentation to implement a web application that uses a tier of apache Web servers and a MySQL database.

We saw how all Virtual Machines involved could be on the same subnet and on the same dvPortGroup in a vSphere environment, and use Micro EPGs to group Virtual Machines according to the function they provide in order to get the right policies applied. The ACI white-list policy model ensures that only the required protocols and ports are allowed between the involved Virtual Machines, and Service Graphs can be used to insert advanced security provided by NGFW and Load Balancing functions.

In this blog, we will focus on how to dynamically implement a sandboxed development environment to modify that application. Before I get on with that, I want to explain that in order to make the demo a bit more fun, I also decided to add an L2 NGFW between the Web and DB tiers of our application. I did that to illustrate how the APIC can automate the NGFW configuration there. But in any case we can imagine that doing this is interesting anyways, because while the contracts on the fabric effectively act like a firewall in the sense that only TCP/3306 is allowed between Web and DB tiers, the fabric can’t really ensure that it is SQL traffic going over that protocol. You need to inspect at the application layer for that. An NGFW can do that, and also protect against SQL-related attacks, etc. So the “production” environment is represented like in the picture below, where I am just highlighting the change from the demo of the first blog:



You can check this video to see how we added that L2 Firewall using the ACI vCenter Plugin to insert an existing Service Graph Template.


So now let’s imagine that Acme Co. wants to give their developers an environment to make changes to the application. If we remember, our Joomla-based Application Profile looks like this:


One of the advantages of SDN is that we can create and delete network configurations programatically, just like we create Virtual Machines. So we can build the development and testing environments on demand, and destroy them when they are no longer required. With ACI, this does not requiring anyone going box-by-box configuring network constructs. Instead, a program or script can talk to the APIC API and create, modify or delete complex network configurations, regardless of physical topology. You can also snapshot existing configurations … like you can snapshot a VM (… a promise long made by other SDN vendors, and long overdue …

Leave a Reply

Your email address will not be published. Required fields are marked *